Buzz
Recall back in November of last year, researchers discovered a Facebook flaw allowing websites to extract user profile data through a security vulnerability related to the cross-site frame leakage (CSFL) attack technique. Today, researchers disclose that a loophole has been patched, allowing websites to expose individuals users have conversed with on Facebook Messenger.
- Download Messenger for Android
- Download Messenger for iPhone
In a blog post, Imperva's security researcher Ron Masas explains how a CSFL attack can exploit iFrame element attributes to determine an application's state.
If run through individual Messenger contacts, this process yields one of two states, full or empty, indicating whether the user has conversed with that contact or not, effectively quantifying the loophole.
The vulnerability prevents access to conversations or fetching data from chat histories, essentially producing binary data with very limited utility for potential attacks.
Security researchers have also notified Facebook of the vulnerability and assessed its severity higher than before. Facebook has decided to remove all iFrames from the Messenger user interface.
According to Masas: 'Browser-based side-channel attacks continue to be an overlooked topic. While most tech giants like Facebook and Google are staying ahead, many other tech companies remain unaware or uninformed.'
One of the features on Messenger that consumes significant phone memory is the automatic image saving feature whenever anyone sends an image. To disable this annoyance, refer to how to Turn off Messenger's automatic image saving here.
