Friday, March 29, 2024

Critical bug allows to read all your Private Chats of Facebook Messenger by hackers

One of the network’s most popular features, with 1-billion active monthly users. Unlike photo and status features designed specifically for sharing and publishing, the power of Messenger is in the ability to communicate privately.

security vulnerability found on Facebook, which also potentially affects millions of websites using origin null restriction checks, threatening user privacy and opening site visitors up to malicious entities.

“The hack, dubbed “Originull,” enables an attacker to access and view all of a user’s private chats, photos and other attachments sent via Facebook Messenger. The issue was discovered and reported to Facebook by team researcher Ysrael Gurt.  (Facebook has since fixed the flawed component)”

“The vulnerability discovered is a cross-origin bypass-attack which allows the hacker to use an external website to access and read a user’s private Facebook messages”

Normally, the browser protects Messenger users from such occurrences by only allowing Facebook pages to access this information. However, Facebook opens a “bridge,” in order to enable “subsites” of Facebook.com to access Messenger information.

A vulnerability in the manner in which Facebook manages the identity of these subsites makes it possible for a malicious website to access private Messenger chats.

             The chat appears on the BugSec website. The user ID is shown to the left.

For example, if the user opens a website to which the hacker has directed them (via a malicious ad, a security issue, or the hacker’s own website), the hacker can then see all the Facebook Messenger chats, photos and other attachments which the user sends or receives.

This happens even if the user sends the messages by way of another computer, or from their personal mobile device!

 “This security flaw meant that the messages of 1-billion active monthly Messenger users were vulnerable to attackers,” said Stas Volfus, Chief Technology Officer of BugSec”

Watch the Facebook Messenger Originull video:

Website

Latest articles

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles