A cybersecurity company called Imperva has disclosed that the Facebook Messenger had a bug that potentially let hackers see who you were talking to on the app. Although, the bug didn’t reveal the content of the messages the issue was a blatant breach of user privacy.
Ron Masas was the security sleuth at Imperva who had made the discovery. He said that the bug affected users who were logged in to their accounts and visited a malicious site. Such a bug would require the expertise of a skilled hacker to pull-off a high-level attack but it would give a hacker a list of exactly who their target contacted.
Facebook was notified about the existence of the bug and since then the problem had been patched. But in his report about the attack, Masas wrote that such attacks which “stem from the way web browsers handle content embedded in the webpage” often goes ignored. He thinks that browser-based side-channel attacks are overlooked. While big IT companies are catching up on this, rest of the industry remains unaware. He believes this technique could become popular this year; hence the need for awareness.
In a statement to Facebook he said: “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”