There is no perfect, fully secure computer program. The software code is created by people, therefore it is impossible for it to be free of defects and faults. And even if none of them is found initially, with the next updates the chance to detect a serious threat increases. Of course, this applies to a larger extent to such extensive software as, for example, Facebook Messenger. An additional, serious vulnerability has been discovered in the application that threatened users’ privacy.
In November, security researchers from Imperva discovered a Facebook error that allowed the capture of specific information from user profiles due to a vulnerability related to data leakage between frames (CSFL). The same team has now discovered another threat – websites will be able to easily check with whom you are chatting on Facebook Messenger.
In the post on the Imperva blog, Ron Masas explained in detail how the CSFL attack uses iFrame elements to determine the state of the application. Starting the process through contacts on Messenger could give one of two statuses: empty or full. This provided information on whether the user was in conversation with the contact or not. Fortunately, this is the only opportunity to use the error. It was not possible to check any messages or data about the conversation history in this way.
Despite the relatively low harm, Facebook was immediately informed of the error, the company decided to completely remove all iFrame elements from the Messenger user interface.
Masas also points out that side-channel attacks based on browser properties are often overlooked. The problem does not affect large companies such as Facebook or Google, which can immediately fix errors. The awareness of the threats that this causes, however, still remains among many entities associated with this industry.