Facebook Messenger: Security vulnerability in private messages

Many people believe that private chat histories remain private, but there are always gaps that allow access to private messages. This also applies to the “Originull” bug.

As reported on the website 'Golem', the security company 'Cynet' managed to access Facebook Messenger messages via a crafted website.

Through a so-called cross-origin bypass attack, data thieves would have had access to the communications (private chats, photos and attachments) of around a billion Messenger users. It is not known whether this vulnerability was actually actively exploited.

The bug was discovered by 'Cynet's' research member Ysrael Gurt. A video is intended to show how such an attack could have taken place:

Danger should already be averted

'Cynet's' experts have already reported the serious bug “Originull” to Facebook. The social media giant reacted quickly and is said to have already closed the gap.

According to the website 'Winfuture', the user is usually protected by the browser and only allows Facebook to access the data. Facebook opens a “bridge” to enable access to “subpages” of Facebook.com. This resulted in an error in identifying the actually intended access.

Switching from the PC to the messenger smartphone app would not have been helpful, because you could also view the chat history here.

Users who have been using “Secret Conversations” since the summer would not have been affected by the bug because the end-to-end encryption prevented the data from being fished out.

Not an isolated case

Back in June, Facebook had to close a security hole in Facebook Messenger.

Attackers were able to manipulate communication processes, insert malware and change history.

Sources: Golem , Winfuture , Cynet