Update Facebook has patched a vulnerability in the desktop and Android mobile versions of its Messenger app that allows an attacker to access and modify chats.
Researchers at Check Point Software Technologies privately disclosed the issue May 2 to Facebook, which patched it two weeks later. The flaw, Check Point said, allows an attacker to, among other things, access chat history and add or change links to a chat session. If the victim is persuaded to click on what is now a malicious link, they could start a malware download or establish a connection to an attacker’s command and control server.
Check Point said the victim would be unaware of the changes, and that chat threads could be deleted or modified, and also links and files could be replaced or added; researcher Roman Zaikin is credited with the discovery.
Facebook, meanwhile, refutes some of these claims. A representative told Threatpost that they bug allows an attacker to change only their messages—not someone else’s messages—and this is a temporary condition until the app re-fetches data from Facebook’s servers. Also, original messages would still be accessible on other platforms, meaning there was always a place where messages would be reflected correctly, Facebook said.
“This bug affected the Android Messenger interface, but the message content was still correctly reflected on other platforms,”Facebook said in a blogpost published today. “We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn’t permanently changed.”
Facebook also shot down the thinking that an attacker could inject content, including links, that would have been blocked in the original messages.
“All messages are still sent through our antimalware and antispam filters,” Facebook said.
Oded Vanunu, head of products vulnerability research at Check Point, told Threatpost that if an attacker can retrieve an identifier known as the message_id parameter from the Messenger app, they would be able to manipulate messages without a notification sent to the user’s desktop or mobile device. A sample attack is describe in the Check Point report.
“The bug is in the business logic of the Facebook Messenger app,” Vanunu said. The message_id parameter is sequential and Vanunu said it is trivial to manipulate that parameter and modify chat content.
“One of the attack scenarios happens where an attacker could send a legitimate URL and send additional information making it attractive to you to click,” Vanunu said. “At first, you will see legitimate content and nothing will be wrong. But after some time, the attacker would have replaced the URL to point at the infection, and since the user has already trusted the URL, they could be persuaded to click it again.”
Facebook said the random ID allows it to identify when the same message is sent multiple times.
“On most clients — including iOS — when duplicate messages are detected, the first message takes precedence and is displayed on both the sender’s and receiver’s device,” Facebook said in a blogpost published today. “However, a misconfiguration with the Messenger app on Android resulted in the last message being displayed instead. As a result, a sender could write a message and then appear to change its content retroactively.”
An attacker could also abuse this vulnerability to automate a connection between a victim’s computer and a command and control server, Check Point said. An attacker could use this to move ransomware for example, Vanunu said.
“The main challenge with ransomware for criminals is to make sure infection points would be live for long periods,” he said, referring to command and control servers storing the private keys that encrypt data on victims’ machines. Vanunu said servers are on average alive for 24 to 48 hours before signatures in security products close off connections.
“With this method, a criminal can do some automation and send malicious activity to thousands of people so that every time there is a new infection point, it gets changed in the background,” Vanunu said. “This way they can change the links without anyone noticing; it’s an excellent method for sending private keys.”
Facebook has made the change to its business logic and this vulnerability has been closed off.
“Facebook was very responsive and took this seriously,” Vanunu said. “It’s important to understand that this infrastructure is serving hundreds of millions of users. Bringing a code change could be harmful. Facebook managed to close this vulnerability in two weeks.”
This article was updated June 7 with comments and clarifications from Facebook.