As Mark Zuckerberg conducts the privacy parade, a researcher has uncovered his findings from Facebook's Messenger vulnerability, potentially revealing information about who the users were communicating with . 19659003] Imperva Software Software Company, which previously identifies another bug that allows websites to see "user preferences," the history of Facebook's locations and interests, shared its vulnerability report in a blog post by researcher Ron Masas on Thursday. Using the user's browser, the hacker can potentially use the iframe properties to see who this messenger was.
Masas said the hacker could do this by essentially making a Messenger user click on a bad link to a malicious user site. Once a page is clicked, a new window will open, potentially from the user's point of view, and will allow the hacker to verify that the user has been or has not been in conversation with other Facebook users in Messenger. After Masas put the question on Facebook for the first time, he managed to catch up with the company's original decision:
After reporting Facebook's vulnerability under their responsible disclosure program, Facebook mitigated the problem of arbitrarily creating elements in the framework that originally they broke. my proof of the concept. However, after some work I managed to adapt my algorithm and distinguish the two countries. I shared my Facebook discovery, which decided to completely remove all frames from the Messenger UI.
The company noted that the problem was not specific to its platform, but confirmed that it really updated its code and removed iframes from its Messenger
. "The question in his report stems from the way web browsers handle the content, embedded in web pages, and is not specific to Facebook, "a Facebook spokesman said in a statement to Gizmodo. "We made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of problems in other web applications, and we've updated the Messenger web version to ensure that browser behavior is not it's "
Of course, an interesting week is for the arrival of such news as it faces Zuckerberg's" inviolability, "focused on the wicked union of WhatsApp, Facebook and Instagram. Zuckerberg writes in an extremely long post on Facebook this week that he believes that "a privacy-focused communication platform will become even more important than today's open platforms. Confidentiality gives people the freedom to be themselves and to connect more naturally, which is why we build social networks. "Anyway.
It is worth noting that although there is still a problem with privacy, the vulnerability does not seem to unload other details to talk differently than whether the user is communicating with another user or bot. But as Massas noted, "attacks on browser-based side channels are still overlooked, while big players like Facebook and Google catch up, most of the industry is still unaware." [The Verge]