Facebook has fixed a vulnerability in Facebook Messenger after Check Point disclosed details about it.
The vulnerability allows a malicious user to change conversation thread in the Facebook Online Chat and Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link and more.
The Vulnerability was fully disclosed to the Facebook Security team earlier this month and, following a joint effort, it has been patched.
There are a few potential attack vectors abusing this vulnerability. These schemes could have a severe impact on users due to Facebook’s vital role in everyday activities worldwide. Many users rely on Facebook for personal and business related communications, which makes this type of vulnerability very attractive to attackers.
* Malicious users can manipulate message history as part of fraud campaigns. A malicious actor can change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
* Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.
* The vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.
“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing, What’s worse. The hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” says Oded Vanunu, head of products vulnerability research at Check Point. “We applaud Facebook for such a rapid response and putting security first for their users.”