Imperva’s Ron Masas, who in the past has identified a bug that allowed unauthorised websites to view Facebook users’ location histories, likes and interests, discovered the flaw in the web version of Facebook Messenger.
Masas discovered a way of exploiting the Messenger website’s use of iFrames to determine who users had been chatting with.
Hackers could potentially put the technique into practice by tricking a user into visiting a link to a malicious webpage.
The flaw, which is not present in the app versions of Facebook Messenger, cannot be used to expose the content of conversations – but can be ysed to figure of you who you have been in conversation with.
Masas reported the security vulnerability to Facebook, and the web version of Messenger was fixed late last year – albeit only after Facebook’s first fix proved to be insufficient:
The revelation of a privacy flaw, is hardly ideal timing for the social networking giant which is attempting to shake off growing concerns from its billions of users.
Furthermore, in its statement it pointed out that the flaw on its Messenger website was not one that was Facebook-specific:
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook.
Mac users of the Zoom video conferencing app are warned their webcams could be hijacked, security firms warn of how scammers are deepfaking audio to steal from businesses, and our guest owns up to the role he played in an Iranian cyberattack against US organisations.
Original article