Facebook Messenger has a whopping 900 million monthly active users which means a hitch on the platform puts millions of users at risk.
The popular instant messaging service just embraced end-to-end encryption that aimed at keeping off man-in-the-middle attackers from spying private messages sent by users over the platform. However, a new flaw emerged that could allow prospective criminals to spy private messages.
Security researchers at Check Point detected a backdoor that could allow prospective hackers to alter chats and spread malware on Messenger Android app and desktop Facebook chat. They will demonstrate the bug at the upcoming Info security Conference. The bug allows someone to modify or completely remove texts, links, and images which can lead to spreading of malware, implication of innocent individuals or removal of a legal evidence.
The actual security researcher (Roman Zaikan) who discovered the weakness said that the way- in allows ill-mannered persons to initiate a man-in-the-middle attack on Messenger and read the conversations without either the sender or the receiver detecting. Worse of all the hacker can change your messages for personal gains, he added.
Facebook Messenger is now used for not only chatting but also as a communication hub linking people and businesses. This means this loophole could have inflicted severe impact on the users. In its report, Check Point warns that the flaw can affect the vital role played by Messenger in daily life. Facebook Messenger conversations are seriously considered in some countries. For instance, courts in Australia, United States, and Europe use the chats as law binding evidence.
To substantiate the point, Check Point gave an example of a malicious hacker who can modify a conversation to claim a fake agreement reached between him and the victim. The weakness has also opened away for a criminal to hide evidence of a crime or even lay the blame on a blameless person.
The research team also exposed another potential risk of the hacker impersonating a friend of the victim to infect the target’s computer with malware by sending him phony links which he forces the target to unlock. Though Facebook prevents spread of malware on Messenger by blocking users from sending links to known malware sites, this could be tricky to deal with.
The hole has been patched
The security firm’s Australian managing director Christopher Rodrigues said they notified Facebook immediately after detecting the vulnerability which the social media powerhouse has fixed. The firm could not confirm the period the app has carried the defect or find a victim. Check Point could also not disclose the affected Messenger platforms, whether the vulnerability affected iOS app or Android app or both.
Mr. Rodrigues also said the legal world would witness challenges in cases where Facebook Messenger conversations were used as evidence. There would be uncertainties whether the evidence was tampered with or whether the individual or groups involved knew they were altered, that would need investigation. The legal trait could be affected when an individual could not own up the chats or doubts sending some messages, he added.
Facebook confirmed the vulnerability
Facebook has agreed with Check Point’s findings that indeed there was a backdoor in Messenger. The company revealed the weakness was due to a misconfiguration with the Messenger Android app. However, Facebook said the hitch allowed someone to only change the content of their message, not of another person. Even if someone exploited the flaw and modified content of someone else’s message on the Android app, the victim could still get the correct version of the chats existing on other platforms, which could be used as evidence.
All Messenger users are therefore urged to update their apps by downloading the fixed version available on Apple iTunes Store and Google Play.