A security flaw that allows a malicious user to alter a past(or recent) conversation thread has been uncovered by the security researchers at the cybersecurity firm, CheckPoint. The vulnerability is only limited to Facebook Chat Web Client and Android Messenger application, and gives user the power to modify or delete any sent text message, photo, file, link and much more.
The vulnerability could have been a cause for potential damage for 900 million users who currently use the platform as a part of their everyday routine. According to CheckPoint, this bug could have been very disruptive for personal and business related communications as it allowed hackers to change the text in a sent message or introduce a malware link in place of another link, tricking you into installing the malicious package on your PC.
Oded Vanunu, Head of Products Vulnerability Research at Check Point said that,
By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing, What’s worse. The hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations.
The cybersecurity company also believes that hackers could use this vulnerability and tamper, hide or edit conversations which could have legal repercussions, incriminating an innocent human for a charge he hasn’t even committed.
Let’s discuss the details of how a user could access another Facebook user’s messenger and alter the conversation to look as if it the original text.
The vulnerability explained in the CheckPoint report states that each message in the chat application is assigned a random identifier “message_id”, which once located by the hacker could be exploited to alter the contents of a message and sending it back to the Facebook servers. The new message thus replaces the old message without even sending a push notification of the change to the user.
But, as they say – there’s always two sides of the same coin.
Checkpoint Securities in the blogpost reports that they had discovered the bug over a month ago, and has since then been working closely with the team at Facebook to counter the problem.
In a blogpost, Facebook reports that it has now fixed the message duplication bug — that was a small coding error that led to the vulnerability. But, it also mentions that the messages could only be altered by the person who sent you the message, so there’s probably nothing to worry about — if you trust your texting buddy.
Facebook also elaborated on the vulnerability saying that it couldn’t be exploited to send malicious packages over to another user, as the newly altered content would have been subject to anti-malware and anti-spam filters and eliminated.
Facebook appreciated the work of the whitehat researchers, a part of the Facebook Bug Bounty program for reporting the issue and helping create a better experience for all the people who use Messenger. The bug bounty program has really proven useful for internet tech giants like Facebook to curb vulnerability that miss their eye.