Huge Vulnerabilities In Facebook Chat and Messenger Exploitable With Basic HTML

An anonymous reader writes: Check Point's security research team has discovered vulnerabilities in Facebook's standard online Chat function, as well as Messenger app. The vulnerabilities, if exploited, would allow anyone to essentially take control of any message sent by Chat or Messenger, modify its contents, distribute malware and even insert automation techniques to outsmart security defences. To exploit the vulnerability, an attacker simply needed to identify the unique ID for the sent message he or she is targeting.According to the report, Facebook, in conjunction with Check Point's researchers, patched the vulnerability earlier this month.

No really?

Here I was using Facebook chat for all my super secret communications.

Re:No really?

[myowntrueself]

Here I was using Facebook chat for all my super secret communications.

You must be in ISIS

After all these years...

[__aaclcg7560]

You would think that the element was no longer a security threat.

Why do people still use Facebook?

There have been huge vulnerabilities in beta that could compromise the accounts of actual users. They don't really seem to care about the security of their users, only about collecting as much data as possible for advertisers. Are there any legitimate reasons for anyone to use Facebook any longer? I think not. I've been modded down to -1 for asking this question before and it's a chickenshit way to avoid the question. Facebook doesn't seem to care about security and the only way to change that is to stop giving them fodder for ad revenue.

Re:Why do people still use Facebook?

How else am I supposed to spam all my friends with links and videos?

Re:Why do people still use Facebook?

[Alain+Williams]

Most people do not care; if something goes wrong they will find someone else to blame. Neither do they care that their information is being sold.

Re: Why do people still use Facebook?

[Ralgha]

I deleted my Facebook account years ago and I don't miss it at all. It's a great tool for companies to exploit consumers though, that's probably its main purpose these days.

Re:Why do people still use Facebook?

[queBurro]

basically, it's pubsub for pics of cats and a big kevin-bacon-esque address book of people who want to be found by people they once knew.

Re: Why do people still use Facebook?

I deleted my Facebook account years ago and I don't miss it at all. It's a great tool for companies to exploit consumers though, that's probably its main purpose these days.

Then you have no life. It's how normal people in meatspace communicate.

Re:Why do people still use Facebook?

Most people do not care; if something goes wrong they will find someone else to blame. Neither do they care that their information is being sold.

FB is an excellent disinfo platform. I don't care my disinformation is being sold. It's a feature. ;)

Re:Why do people still use Facebook?

Just like I don't jack off in public, I don't do shit on Facebook that I don't mind being public. You might be shocked to find out that I leave my house from time to time as well, despite the fact that my expectation of privacy is greatly reduced upon doing so.

Re:More LUDDITE lies!

[Yvan256]

Shuddapp.

How do you get the unique ID?

[bluefoxlucid]

How do you identify the unique ID of the message? If the message is sent to you (or a group including you), I guess that works. How else?

If message unique IDs are cryptographically secure--if they're 128-bit random GUIDs from a strong entropy source--then this is like saying an attacker only needs the unique private key to hijack Verisign. If they're akin to the ObjectID in MongoDB--datestamp, machine, process, and 24-bit random counter--then we can go fishing. If the ID is discoverable only by being the logged-in user, then you need a browser-end hijack or a TLS-breaking MITM, in which case there are any number of ways to invisibly send messages and not send messages the user types.

Re:How do you get the unique ID?

[Opportunist]

128 bits ain't necessarily 128 bits. Just giving me the bit depth of your key without telling me what kind of cipher, if any, you want to feed it to does not tell me anything about the security of your implementation.

128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack. If I have to take the 128 bit value and do a complex computation (like in, say ECDH), you have a VERY different and much more complex operation at hand.

The computational expense differs greatly between different operations on your "bits". A 512bit key in ECDH is as good as 15360 bit RSA/DH according to NIST. (ECRYPT even gave it a security equivalent of 15424bit RSA/DH).

Re:How do you get the unique ID?

Ugh.

No.

Symmetric and Asymmetric crypto are different. In asymmetric crypto everybody has one of the keys (the public key, hence public key cryptography), and the size of the key controls how hard it would be to figure out the corresponding private key but so does the algorithm used. So yes, key lengths with the same security in RSA and EC will be different.

But with symmetric crypto the keys are _secret_. Short of a break, key length determines how many possible keys a bad guy has to try before they find yours. 128-bits is always 128-bits. You need just as many tries (far too many to ever complete) to guess the correct 128-bit AES key as to guess the correct 128-bit Twofish key.

This scenario requires guessing 128 bits. Imagine you had an impossibly fast computer that can try a billion billion possibilities per second. In fact, a billion people just like you have these impossible computers. And you all want to work together to guess the right one. Too bad it'll take more than 10 000 years.

Here's a good idea. When you're about to blather about how ECHD vs RSA is important in a thread about guessing 128-bit numbers, just write "Herp, derp, my brain doesn't work too good" and move on.

Re:How do you get the unique ID?

[bluefoxlucid]

128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack.

If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

How trivial is trivial?

Re:How do you get the unique ID?

How fast would it be if every computer in the world took a chunk of the workload?

Re:How do you get the unique ID?

[JustAnotherOldGuy]

If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

So you're saying I'd need two computers to crack it??

Re:How do you get the unique ID?

[bluefoxlucid]

There are approximately 2 billion computers in operation on the planet Earth today.

If you utilized the full processing power of all 2 billion of those computers, you could count from 1 to 2^128 in 1,790,000,000,000 years or 130 times the age of the universe, assuming single-CPU operation. With an average of 6 execution units (6 core) per computer, the iteration can be completed in 298,000,000,000 years or 22 times the current age of the universe.

That's strictly iterating at maximum speed; this excludes the time to make network tests or to compute local hashes or encryptions in an attempt to crack passwords or otherwise-obscured information. Such actions require several thousands to several billions times the amount of real-time.

Re:How do you get the unique ID?

Not fast enough til the last proton in the universe decays.

Re:How do you get the unique ID?

[JustAnotherOldGuy]

With an average of 6 execution units (6 core) per computer, the iteration can be completed in 298,000,000,000 years or 22 times the current age of the universe.

Okay, wait, so we're up to three computers now?? I'm not sure I have that many power outlets in my room.

Made you look?

[Krazy+Kanuck]

Choppa four reporting - huge chemical fire downtown this morning, smoke can be seen for miles, massive flames and explosions In other news, local firefighters and teams from surrounding counties put out the fire last week....

developers need to fix

[Richasolutions]

It has been seen many times that big websites have huge holes in their security. I believe they can fix everything as there are millions of users who use facebook everyday.

Fedbook

Here's the deal. Nobody cares about discovering if Susie fed her cat and told Tammy or not. This is just a false sense of security story again. If you put your info on Facebook, it is immediately able to be scanned and cross-referenced ad nauseum by the government.

Facebook and Twitter profile, Google tracks.

Seen Eric Schmidt CEO of Google lately? http://bilderbergmeetings.org/participants.html

All of the mass immigration issues and deciding if a Jew, an old lady body double, or an actor/businessman is going to run the US Military is a sham.

*cough**cough*

Who cares?

[Opportunist]

If you only give half a shit about your privacy and you're using anything that as much as touches Facebook, you're doing it wrong.

With exploit, without exploit, the difference matters only to Facebook, i.e. whether they have to share your private data with someone else. To you, the difference is negligible.

Re:Who cares?

All data is shared at will with US gov, meaning US moles have near-immediate access as well.

I suggest noscript.net (script blocking plugin for browsers) and at the least go to Options/Advanced/XSS and clear the box giving Google (and Wikipedia) permissions for cross-site scripting. Google is 100% state-friendly, but on the "under". Also you should disable each of the checkboxes on Options/Advanced/ABE. Your browser will bypass your VPN if you have the WAN IP box checked and disclose your gateway IP's.

You can add custom filters in Adblock (browser plugin) to block more Google, Facebook, and Twitter tracking you all over the Internet as well. They are all gov-friendly if you know what I mean.
eg. these--
||google-analytics.com^
||googletagservices.com^
||google.com^
||twitter.com^
||googlesyndication.com^
||ajax.googleapis.com^
||facebook.net^
||gstatic.com^
||facebook.net^

etc. You can re-allow them on the fly when you actually use Google/Facebook/Twitter, if you are so inclined. No site is anonymous whatsoever if it connects your browser to those sites, among others.

Re:Who cares?

^

All data is shared at will with US gov, meaning US moles have near-immediate access as well.

I suggest noscript.net (script blocking plugin for browsers) and at the least go to Options/Advanced/XSS and clear the box giving Google (and Wikipedia) permissions for cross-site scripting. Google is 100% state-friendly, but on the "under". Also you should disable each of the checkboxes on Options/Advanced/ABE. Your browser will bypass your VPN if you have the WAN IP box checked and disclose your gateway IP's.

You can add custom filters in Adblock (browser plugin) to block more Google, Facebook, and Twitter tracking you all over the Internet as well. They are all gov-friendly if you know what I mean.
eg. these--
||google-analytics.com^
||googletagservices.com^
||google.com^
||twitter.com^
||googlesyndication.com^
||ajax.googleapis.com^
||facebook.net^
||gstatic.com^
||facebook.net^

etc. You can re-allow them on the fly when you actually use Google/Facebook/Twitter, if you are so inclined. No site is anonymous whatsoever if it connects your browser to those sites, among others.

Messenger and Payments?

[JimMcc]

And Facebook wants to use the messenger app to send payments? If they have this much trouble with basic security over social chatting, why should we trust them to handle payment processing? If you can't do the simple things right, you certainly can't be expected to successfully accomplish the difficult things.

Re: Messenger and Payments?

And you trust them for your basic social chats? I was asked to agree to Whatsapp terrible T&Cs the other day. Do you know what I pressed? I pressed NO and deleted the App. If you want to talk to me send me an email or pick up the phone. Label me antisocial all you like but saying that I'm uncontactable because I choose to stay away from these atrocious Apps is not true. I'm contactable I just ain't stupid that's all.

Node and REST?

[clifwlkr]

This is what you get when you hire a bunch of developers doing straight RESTful interfaces on top of MongoDB having no idea what they are actually doing. I am amazed at the lack of security I see in most of the software developed these days, and while RESTful can be a great approach, people also need to realize how open and easy to abuse it really is.

It really is funny how all of these things we solved ages ago are having to be redone because now we have a new platform that doesn't just give you all of this built in. Hopefully the node level javascript developers can be taught the importance of actual security and designing an enterprise/internet level system and what that means, but with trends like 'microservices' being the rage, I somehow doubt that.

This is the difference between being a programmer, and being an engineer.

Rant off....

Not HTML, lol

[campuscodi]

HTTP requests are not HTML code.

Re:More LUDDITE lies!

Scopes is the word. Only scopes can give scopers the scope to scope scopy scopes. Scopes will do away with LUDDITE apps.

Scopes!

HTML Chat sucks

[sycodon]

EVERY HTML app I've ever used sucked royally.

Delays, dropped letters, crashes.

Barely one step above two tin cans and some string.

This is why.....

[TheCarp]

This is why the moment I got my new phone I started disabling things. This is why the moment I saw that half the apps on my phone wanted permission to use the camera and microphone, all but 4 of them got denied that going forward.

I garauntee you facebook apps have these permissions and don't need them. The camera app takes photos, camera access is not even needed to access already stored photos....its off.

Re:This is why.....

[JustAnotherOldGuy]

This is why the moment I got my new phone I started disabling things. . . .The camera app takes photos, camera access is not even needed to access already stored photos....its off.

Here's the thing, though- you unchecked the box revoking its permissions, but is it really off? How would we really know without being able to audit or examine the code?

For all we know, turning off the permissions may just put it in "extra sneaky" mode. Honestly, given the current predatory and exploitative nature of advertising, this wouldn't surprise me a bit.

Re:This is why.....

[TheCarp]

Anyone who has read Reflections on Trusting Trust should, of course, be able to ask that question and answer it. Of course its possible, but who are you going to trust?

Fact is, this program exists, and is exploitable. *IF* we trust that the permissions work, then we can conclude that leaving them open leaves an explotable program open to misusing them at the request of a person who exploits it.

By turning off this permission, I can hope that this attempt will fail, and even expect it will. I can't say with any certainty that I know for sure it will, or that it is not circumventable, but.... there are limits to how far down the rabbit hole its useful for me to go if I want to be able to discuss or do anything. At some point the conclusion is either "don't buy a phone" or "accept that I have to trust someone".

What?? Impossible!

[JustAnotherOldGuy]

I can hardly believe this- I mean, Facebook has always had such a spotless record when it comes to security!

Re:What?? Impossible!

[bahrdo]

But... But... they held hacking competitions to find the best hackers to hire. How can their security be bad?

Re:More LUDDITE lies!

#stillboring