Facebook is dismissing claims by a researcher who says multimedia content such as audio-based messages sent via its Facebook Messenger service can be intercepted by a third-party under certain conditions.
On Tuesday, Mohamed Baset, a security analyst at ecommerce firm Linio México, published a proof-of-concept video demonstrating what he calls a Facebook flaw that allows an attacker to access audio or video files from Facebook servers and play them back.
Facebook is dismissing Baset’s claims, telling Threatpost, “We appreciate researcher reports, but this is not a flaw and does not impact the normal functioning of voice clips on Messenger.”
Baset concedes that the alleged threat he illustrates represents a “narrow attack surface” and is “not really that dangerous for most users.”
The problem, Baset told Threatpost, is related to the fact Facebook is not enforcing HTTP Strict Transport Security (HSTS) for data stored on its content distribution network (CDN) servers. Facebook uses those CDN servers to store Messenger attachments. HSTS is a mechanism designed to protect websites against protocol downgrade attacks such as SSL stripping and cookie hijacking.
He warns that under certain conditions someone receiving a Facebook Messenger message that contains a multimedia attachment would need to downgrade their connection from HTTPS to HTTP in order playback the content. That’s because some repressive governments use deep packet inspection and SSL Throttling to block multimedia content sent via HTTPS.
To get around those restrictions, the Facebook message recipient can downgrade their Facebook connection from HTTPS to HTTP in order to playback the content from Facebook’s CDN servers. To do this a user would simply go into the URL field of their browser and remove the “S” from the HTTPS prefix of a URL. Under these conditions an attacker who shares the same network as the message recipient could perform a man-in-the-middle attack and sniff out the URL of the Messenger attachments and play back the files.
Baset acknowledges the attack window is small, but nevertheless real. He said if Facebook implemented HSTS it would lock out government spying, hackers and internet service providers from being able to sniff out account data and playback messages.
“The described technique only works if someone using Messenger chooses to manually load content on the CDN using HTTP—which our website and mobile clients would not do,” Facebook said. Facebook said voice clips are sent using HTTPS.
Baset reported his findings to Facebook’s bug bounty program and suggested HSTS should be implemented across all its CDNs. At that time, Facebook rejected the claim and said it would roll out further unspecified CDN protections in its own timeframe, according to Baset’s account of his interaction with Facebook.
“In a nutshell, HSTS will protect Facebook users from the lack of their security awareness,” Baset said. “Preventing users from doing something for the good of their privacy and safety is more important than giving them the ability to put themselves at risk.”
Facebook has insisted the presence or absence of HSTS has no impact on whether someone can intercept voice clips. Baset agrees, to the extent that Facebook can detect attempted SSL Strip attacks and force an end client to re-authenticate the HTTPS connection.
“Facebook is expiring the session when it detects SSL stripping attacks, so if the attacker initialed a successful SSL stripping attack, the user session will be invalid and have to re-authenticate again. But without HSTS an SSL stripping attack against Facebook has a greater chance of success,” Baset said.