Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge Vulnerabilities In Facebook Chat and Messenger Exploitable With Basic HTML (helpnetsecurity.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Check Point's security research team has discovered vulnerabilities in Facebook's standard online Chat function, as well as Messenger app. The vulnerabilities, if exploited, would allow anyone to essentially take control of any message sent by Chat or Messenger, modify its contents, distribute malware and even insert automation techniques to outsmart security defences. To exploit the vulnerability, an attacker simply needed to identify the unique ID for the sent message he or she is targeting.According to the report, Facebook, in conjunction with Check Point's researchers, patched the vulnerability earlier this month.

9 of 40 comments (clear)

  1. After all these years... by __aaclcg7560 · · Score: 3, Funny

    You would think that the element was no longer a security threat.

  2. Re:No really? by myowntrueself · · Score: 2

    Here I was using Facebook chat for all my super secret communications.

    You must be in ISIS

    --
    In the free world the media isn't government run; the government is media run.
  3. How do you get the unique ID? by bluefoxlucid · · Score: 4, Interesting

    How do you identify the unique ID of the message? If the message is sent to you (or a group including you), I guess that works. How else?

    If message unique IDs are cryptographically secure--if they're 128-bit random GUIDs from a strong entropy source--then this is like saying an attacker only needs the unique private key to hijack Verisign. If they're akin to the ObjectID in MongoDB--datestamp, machine, process, and 24-bit random counter--then we can go fishing. If the ID is discoverable only by being the logged-in user, then you need a browser-end hijack or a TLS-breaking MITM, in which case there are any number of ways to invisibly send messages and not send messages the user types.

    --
    Support my political activism on Patreon.
    1. Re:How do you get the unique ID? by bluefoxlucid · · Score: 3, Informative

      128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack.

      If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

      How trivial is trivial?

      --
      Support my political activism on Patreon.
  4. Re:Why do people still use Facebook? by queBurro · · Score: 2

    basically, it's pubsub for pics of cats and a big kevin-bacon-esque address book of people who want to be found by people they once knew.

    --
    sag
  5. Messenger and Payments? by JimMcc · · Score: 4, Insightful

    And Facebook wants to use the messenger app to send payments? If they have this much trouble with basic security over social chatting, why should we trust them to handle payment processing? If you can't do the simple things right, you certainly can't be expected to successfully accomplish the difficult things.

  6. Node and REST? by clifwlkr · · Score: 2, Insightful

    This is what you get when you hire a bunch of developers doing straight RESTful interfaces on top of MongoDB having no idea what they are actually doing. I am amazed at the lack of security I see in most of the software developed these days, and while RESTful can be a great approach, people also need to realize how open and easy to abuse it really is.

    It really is funny how all of these things we solved ages ago are having to be redone because now we have a new platform that doesn't just give you all of this built in. Hopefully the node level javascript developers can be taught the importance of actual security and designing an enterprise/internet level system and what that means, but with trends like 'microservices' being the rage, I somehow doubt that.

    This is the difference between being a programmer, and being an engineer.

    Rant off....

  7. This is why..... by TheCarp · · Score: 2

    This is why the moment I got my new phone I started disabling things. This is why the moment I saw that half the apps on my phone wanted permission to use the camera and microphone, all but 4 of them got denied that going forward.

    I garauntee you facebook apps have these permissions and don't need them. The camera app takes photos, camera access is not even needed to access already stored photos....its off.

    --
    "I opened my eyes, and everything went dark again"
    1. Re:This is why..... by TheCarp · · Score: 2

      Anyone who has read Reflections on Trusting Trust should, of course, be able to ask that question and answer it. Of course its possible, but who are you going to trust?

      Fact is, this program exists, and is exploitable. *IF* we trust that the permissions work, then we can conclude that leaving them open leaves an explotable program open to misusing them at the request of a person who exploits it.

      By turning off this permission, I can hope that this attempt will fail, and even expect it will. I can't say with any certainty that I know for sure it will, or that it is not circumventable, but.... there are limits to how far down the rabbit hole its useful for me to go if I want to be able to discuss or do anything. At some point the conclusion is either "don't buy a phone" or "accept that I have to trust someone".

      --
      "I opened my eyes, and everything went dark again"