Wednesday, May 14, 2025
HomeData BreachCritical bug allows to read all your Private Chats of Facebook Messenger...

Critical bug allows to read all your Private Chats of Facebook Messenger by hackers

Published on

SIEM as a Service

Follow Us on Google News

One of the network’s most popular features, with 1-billion active monthly users. Unlike photo and status features designed specifically for sharing and publishing, the power of Messenger is in the ability to communicate privately.

security vulnerability found on Facebook, which also potentially affects millions of websites using origin null restriction checks, threatening user privacy and opening site visitors up to malicious entities.

“The hack, dubbed “Originull,” enables an attacker to access and view all of a user’s private chats, photos and other attachments sent via Facebook Messenger. The issue was discovered and reported to Facebook by team researcher Ysrael Gurt.  (Facebook has since fixed the flawed component)”

- Advertisement - Google News

“The vulnerability discovered is a cross-origin bypass-attack which allows the hacker to use an external website to access and read a user’s private Facebook messages”

Normally, the browser protects Messenger users from such occurrences by only allowing Facebook pages to access this information. However, Facebook opens a “bridge,” in order to enable “subsites” of Facebook.com to access Messenger information.

A vulnerability in the manner in which Facebook manages the identity of these subsites makes it possible for a malicious website to access private Messenger chats.

             The chat appears on the BugSec website. The user ID is shown to the left.

For example, if the user opens a website to which the hacker has directed them (via a malicious ad, a security issue, or the hacker’s own website), the hacker can then see all the Facebook Messenger chats, photos and other attachments which the user sends or receives.

This happens even if the user sends the messages by way of another computer, or from their personal mobile device!

 “This security flaw meant that the messages of 1-billion active monthly Messenger users were vulnerable to attackers,” said Stas Volfus, Chief Technology Officer of BugSec”

Watch the Facebook Messenger Originull video:

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...

New Adobe Photoshop Vulnerability Enables Arbitrary Code Execution

Adobe has released critical security updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Marks & Spencer Confirms Customer Data Breach in Recent Cyber Attack

British retail giant Marks & Spencer has officially confirmed that customer personal data was...

Repeated Firmware Key-Management Failures Undermine Intel Boot Guard and UEFI Secure Boot

The security of fundamental technologies like Intel Boot Guard and UEFI Secure Boot has...

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into...