Facebook is again dealing with a privacy issue, this time it lies within Messengers desktop website. The application uses iframe elements to power its interface, and the iframes can clue attackers in on conversations held within Messenger. When messaging different users, the number of iframes fluctuate. Because of this, attackers are able to distract users by making them click on malicious links that take them to various sites while the exploit was being executed in the background. Essentially, Messenger is reloaded in the background and the number of iframes is counted, determining if a user has been chatting with a specific person. Although the complete content of the conversation cannot be exposed by the attacker, they are able to run a Cross-Site Frame Leakage attack. An unnamed researcher on a blog commented, “When the current user has not been in contact with a specific user, the iframe count would reach three and then always drop suddenly for a few milliseconds. This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy.” Facebook was contacted and they tried to randomize iframes, but the bug was still able to be exploited. Eventually Facebook completely removed iframe elements.
Analyst Notes
Since the bug is on Facebook’s end, it is hard for users to take any affirmative action. Users should simply be cautious of the content they are sharing within messenger.
