Facebook Messenger bug revealed who you had conversations with

The browser flaw let potential attackers figure out whose DMs you slid into.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Facebook Messenger had a flaw that let potential attackers see who you had conversations with.

James Martin

Facebook is making a big shift to private messages, but it's not immune to security vulnerabilities.

Imperva, a cybersecurity company, on Thursday detailed a flaw with Facebook Messenger that allowed potential attackers to learn who you were talking with on the chatting service.

The security bug didn't show the content of the messages, but just knowing who you were in touch with has the potential to harm your privacy, said Ron Masas, the security researcher who discovered the vulnerability.

"It could be sent to high-profile targets to figure out who they've had a conversation with," Masas said. "If you sent a message to a bot to order pizzas, I would know."

Facebook said Thursday it fixed the bug in December. 
"The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook," a Facebook spokesperson said. "We've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we've updated the web version of Messenger to ensure this browser behavior isn't triggered on our service."

Masas had also detailed a similar Facebook bug in November, where data thieves could see private posts you've liked and what your friends have liked.

The bug worked by analyzing iFrames -- the code used to embed content like YouTube videos on pages. In your browser, Messenger loaded a specific number of iFrames for people you've had a conversation with and people you've never talked to, Masas said.

The security researcher developed a tool that'd report the number of iFrames loaded, and with that data, he could figure out who someone has been in touch with.
For the attack to work, the victim would have to click on a link leading to Masas' tool. In his proof-of-concept, he set the trap link as a video, so that unsuspecting victims would be distracted while that data was siphoned off.

So in one tab, you'd have the spying tool gathering data on iFrames of the recipient's Facebook page on another tab.

"The original tab can ask the browser how many iFrames another tab has," Masas said. "It looks for this pattern that indicates whether or not you've had a conversation with a person."

That pattern was a specific drop in iFrames if you've never spoken with somebody on Messenger.


The blue line indicates you never spoke with someone on Facebook Messenger. The red line means you did. That spike in the iFrames load indicates the difference.


When Masas first reported the flaw to Facebook on Nov. 29, the social network tried fixing it by randomizing the number of iFrames, he said. But even though the specific number of iFrames was removed, that drop in the pattern still existed, Masas said.

Facebook eventually fixed the flaw by removing iFrames from Messenger altogether.

The security vulnerability with Facebook Messenger comes a day after Mark Zuckerberg announced his plans for the future of the social network. The CEO said Facebook is moving toward a privacy-focused platform, with an emphasis on encrypted messaging.

But with the bug that Masas discovered, encryption wouldn't have stopped the flaw, the researcher said.
That's because it looked for iFrames, which your browser provided -- not Facebook.

"This data was leaked over the client side. In terms of encryption, it's not really going to affect this," he said. 
Originally published at 11 a.m. PT.
Updated at 4:06 p.m.: With a response from Facebook.