A new vulnerability has been found that allows bad actors to see who users have been talking to on Facebook. Discovered and disclosed by security firm Imperva, the issue is not an exploit of Facebook’s security, but rather a method for tricking unwitting users. Hackers trick users into clicking a malicious website. Once there, a tab opens on the user, allowing the hacker to take information. The data would have to be stolen quickly as the user would only be distracted briefly. Imperva explains the exploit in its disclosure blog: “The new tab would start playing a video, keeping the user busy while we load the user messenger conversation endpoint in the background tab. While Messenger loads in the background, we record the iframe count as I previously explained, allowing us to detect whether or not the current user has been in contact with specific users or Facebook Messenger bots.” As mentioned, this is certainly no Cambridge Analytica or Android data scraping scandal and not Facebook’s fault. However, the company could do without these kinds of problems considering its worsening reputation as the most untrustworthy tech company.
Fix
In a statement, the social network giant said it created and issued a fix as soon as it was told about the exploit. “The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” a Facebook spokesperson told Gizmodo in response to a query. “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
