Skip to main content

Facebook Messenger had a vulnerability that could let hackers see who you contact

Facebook Messenger had a vulnerability that could let hackers see who you contact


Hackers could have used an uncommon attack that could become more popular

Share this story

Illustration by Alex Castro / The Verge

A previously reported Facebook vulnerability was similarly found in the company’s Messenger product, according to security research group Imperva. Nearly a year ago, Imperva researchers discovered that, through Messenger, a hacker could use “any website to expose who you have been messaging with.” The bug was disclosed to Facebook in November and subsequently patched.

Hackers could target a Facebook user’s web browser and exploit iframe elements to see which friends the user had talked to and which were not in the user’s contact list. Imperva confirmed the hackers couldn’t gain any other data from the attack.

Like the vulnerability in Facebook reported last November, Messenger users would have been vulnerable if they visited a malicious site with Chrome and then clicked on the site while they were still logged in on Facebook. That would give the hackers access to run any queries on a new Facebook tab and extract personal data.

You would need to visit a malicious site and be logged into Facebook to be vulnerable

After Imperva disclosed the issue to Facebook, the company tried to issue a fix by randomizing iframe elements, an HTML element vital to the vulernability. But later, Imperva pointed out that a hacker could still design an algorithm that would continue to expose user’s contacts. Facebook then removed iframes from Messenger entirely. Facebook told The Verge in a statement: “We appreciate the researcher’s submission to our bug bounty program. The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook.”

“Browser-based side channel attacks are still an overlooked subject,” Israel-based Imperva researcher Ron Masas writes in the report. “While big players like Facebook and Google are catching up, most of the industry is still unaware.” Masas noted that while the technique wasn’t common yet, it could “increase in popularity throughout 2019” as it typically didn’t leave a trace.

Over the past few years, Facebook has come under fire for rampant privacy violations and mishandling of user data. From the Cambridge Analytica scandal reported last March to a data breach Facebook revealed in October, millions of users have had their data leaked. The news of today’s vulnerability also comes a day after Facebook CEO Mark Zuckerberg announced plans to merge Messenger, WhatsApp, and Instagram into a service that would combine its products through a single backend, positioning the move as a pivot to a “privacy-focused communications platform.”

Update March 7th, 11:23PM ET: This article was updated with comment from Facebook. Facebook also noted the bug was reported in November, not May.

Today’s Storystream

Feed refreshed 4 minutes ago Striking out

Andrew Webster4 minutes ago
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

The Verge
Andrew WebsterAn hour ago
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew Webster1:05 PM UTC
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix

Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.

Spain’s Transports Urbans de Sabadell has La Bussí.

Once again, the US has fallen behind in transportation — call it the Bussí gap. A hole in our infrastructure, if you will.

External Link
Jay PetersSep 23
Doing more with less (extravagant holiday parties).

Sundar Pichai addressed employees’ questions about Google’s spending changes at an all-hands this week, according to CNBC.

“Maybe you were planning on hiring six more people but maybe you are going to have to do with four and how are you going to make that happen?” Pichai sent a memo to workers in July about a hiring slowdown.

In the all-hands, Google’s head of finance also asked staff to try not to go “over the top” for holiday parties.

External Link
Insiders made the most money off of Helium’s “People’s Network.”

Remember Helium, which was touted by The New York Times in an article entitled “Maybe There’s a Use for Crypto After All?” Not only was the company misleading people about who used it — Salesforce and Lime weren’t using it, despite what Helium said on its site — Helium disproportionately enriched insiders, Forbes reports.

James VincentSep 23
Nvidia’s latest AI model generates endless 3D models.

Need to fill your video game, VR world, or project render with 3D chaff? Nvidia’s latest AI model could help. Trained on 2D images, it can churn out customizable 3D objects ready to import and tweak.

The model seems rudimentary (the renders aren’t amazing quality and seem limited in their variety), but generative AI models like this are only going to improve, speeding up work for all sorts of creative types.