Plagued with various privacy related issues, bugs and breaches, Facebook has for a while been trying to redeem itself and regain users trust by rolling out features that is more focused on users privacy. However, security breaches of all kind doesn't seem to leave the social platform.
The bug which was discovered by security researcher Ron Masas of cyber security firm Imperva, not long after CEO Mark Zuckerberg said he was working to make the social platform 'privacy focused' like WhatsApp.
The vulnerability existed in the web version of Messenger and allowed any website to reveal anyone that you have been chatting with.
Hackers that are trying to gain access to private accounts need only to get users to click a video to grant the hacker(s) access to check which contacts had recently engaged with the user over Facebook Messenger.
This bug could be easily exploited by hacker because the video would be disguised as a regular content.
Mr. Masas referred to the latest vulnerability as a 'side-channel attack, performed on an end user's web browser.' He explained that the attack is rendered by exploiting the iframe which is used to see whether a user has been or is actively engaging with chat boxes in the Facebook Messenger app.
"When the current user has not been in contact with a specific user, the iframe count would reach three and then always drop suddenly for a few milliseconds," Masas said. "This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violates those users' privacy."
"By recording frame count data over time, i found two new ways to leak cross-origin information," Masas added. "By looking at patterns instead of static number, i was able to leak the 'state' of a cross-origin window."
"Browser-based side-channel attacks are still an overlooked subject. While big players like Facebook and Google are catching up, most of the industry is still unaware," Masas said.
The researcher reported the vulnerability to Facebook who has rolled out a fix for it.