A newly discovered vulnerability in Facebook Messenger could have allowed an attacker to modify or remove any sent message, photo, file, or link. The flaw, which was discovered by Check Point Software Technologies, has already been disclosed to Facebook’s security team, which worked with Check Point to patch the vulnerability.
“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” said Oded Vanunu, head of Products Vulnerability Research at Check Point, said in a blog post. “We applaud Facebook for such a rapid response and putting security first for their users.”
Multiple Attack Vectors
The Messenger vulnerability, which also affected Facebook’s Online Chat app, was particularly attractive to hackers because of the popularity of those apps around the world for personal and business communications, according to Check Point. The vulnerability also offered hackers multiple vectors by which they could attack their targets.
The hack exploited the fact that each message in the Facebook chat applications — online and mobile — has its own unique identifier. The vulnerability allowed an attacker to store a request containing the identifier via a proxy while launching an attack.
Check Point said that malicious users could have used the vulnerability to manipulate message histories as part of fraud campaigns. For example, a hacker could have changed the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change the terms of an existing agreement, Check Point said.
Tampering, altering, or hiding information from a Facebook chat could have serious legal repercussions. Such chats can be admitted as evidence in legal investigations and the vulnerability would have allowed an attacker to hide evidence of a crime or even incriminate an innocent person.
Malware Distribution Vehicle
The vulnerability could also have been used to distribute malware, Check Point said in its blog post. An attacker could have used the flaw to change a legitimate link or file into a malicious one, and then could have persuaded the user to open it. The attacker could have then used this method to update the link to contain the malware’s latest command and control address and keep the phishing scheme up to date.
Such capabilities would have let a hacker manipulate the same attack vector to overcome the challenge of maintaining an active command and control server, one of the biggest problems facing ransomware propagators today.
Typically, ransomware campaigns only last a few days because security companies are able to block the links and command and control addresses once they become known, forcing the attackers to begin their campaigns all over again from scratch.
The Messenger vulnerability, on the other hand, could have allowed hackers to use automation techniques to continually outsmart security measures when the command and control servers are replaced.