Facebook Messenger bug lets anyone change your messages

7 Jun 2016

Security researchers have discovered a significant vulnerability in Facebook Messenger that allows anyone with the right know-how to access other people’s conversations and modify or remove messages.

Facebook is continuing to double down on Facebook Messenger in the hope of pushing more of the social network’s billion-plus users to have it as their go-to messaging service.

However, a recent discovery made by a security researcher at Check Point has revealed a rather nasty bug that could have seen anyone looking to maliciously change people’s messages do so with relative ease.

From fraud to malware

According to the company’s blog, the bug has obviously been patched as per best practice by security researchers, but the potential dangers it would have caused are quite worrisome.

Once access has been gained using this vulnerability, the target’s chat history could be added to or modified, including links and content.

Having first been brought to the attention of Facebook’s security team earlier this month, Check Point said some of the worst potential outcomes could have included instigating fraud on behalf of the target, or hiding evidence of something being said that could be used in a court of law.

Then, of course, there’s the potential for the hacker to use Facebook Messenger to change existing links to malware, or send new malware links pretending to be from the target.

Messenger vulnerability

An altered message using the Facebook Messenger vulnerability. Image via Check Point

Not all chat history affected

This would be rather difficult, however, given Facebook’s efforts to clamp down on malware by blocking links to known malware sites.

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realising,” said Check Point’s Oded Vanunu.

“What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations.”

The key to the vulnerability, as it turns out, was down to the hacker’s ability to access to the ‘message_id’ parameter connected with each message sent on the platform.

Not all chat histories would have been affected, however, as while the bug directly affected the Messenger app and conversations on Facebook itself, chat histories accessed using Messenger.com would have shown the original chat history.

Facebook Messenger image via Kārlis Dambrāns/Flickr

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com