Security experts from Check Point early this week reported a serious vulnerability in the Facebook Messanger App that could be exploited by attackers to replace the content of the messages they send via the mobile app. The impact of such flaw could be very severe, crook could exploit it to replace legitimate messages with content including malicious links.
“Check Point disclosed details about a vulnerability found in Facebook Messenger, both in the online and mobile applications.” reported Check Point in a blog post. “The vulnerability allows a malicious user to change conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more.”
As explained by the researchers, the Facebook Messenger App assigns a random ID to each message, the problem is that if an attacker obtains this ID via a request to facebook.com/ajax/mercury/thread_info.php, and then send another message with the same ID to the targeted user it will replace the original message.
Experts from Facebook who investigated the issue clarified that the security vulnerability only affects Messenger for Android. In particular, Facebook explained that for devices running iOS, only the first message is displayed even if attackers send further messages with the same ID.
“On most clients — including iOS — when duplicate messages are detected, the first message takes precedence and is displayed on both the sender’s and receiver’s device. However, a misconfiguration with the Messenger app on Android resulted in the last message being displayed instead. As a result, a sender could write a message and then appear to change its content retroactively.” states Facebook. “We received multiple reports about this bug through our Bug Bounty program — including one from Check Point, a security company — and we ran a thorough investigation.”Facebook tried to downplay the problem explaining that the vulnerability can be exploited by an attacker only to replace the content of their own messages and not someone else’s messages.
“Would you have the ability to change the content of anyone else’s messages or just your own? Content could have only been adjusted by the person who sent the message. The bug did not provide the ability to change someone else’s messages.” states Facebook.
The company also highlighted that its antimalware and anti-spam filters could be enough to stop the threat.
“This bug affected the Android Messenger interface, but the message content was still correctly reflected on other platforms. We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn’t permanently changed,” Facebook said.
Due to the above motivation, Facebook fixed the issue, but classified is as a “simple misconfiguration” ranked with a “low risk.”
Below the video PoC published by Check Point.
(Security Affairs – Facebook Messenger App, hacking)