Check Point disclosed details about a vulnerability found in Facebook Messenger, both in the online and mobile application. Following Check Point’s responsible disclosure, Facebook promptly fixed the vulnerability.

 

What is this vulnerability?

The vulnerability allows a malicious user to change a conversation thread in the Facebook Online Chat & Messenger App. By abusing this vulnerability, it is possible to modify or remove any sent message, photo, file, link, and much more.

The vulnerability was fully disclosed to the Facebook Security team earlier this month. Facebook immediately responded, and after a joint effort, the vulnerability was patched.

Click here to view the demo

 

What is the potential damage of this vulnerability?

There are a few potential attack vectors abusing this vulnerability. These schemes could have a severe impact on users due to Facebook’s vital role in everyday activities worldwide. Many users rely on Facebook for personal and business related communications, which makes this type of vulnerability very attractive to attackers.

  • Malicious users can manipulate message history as part of fraud campaigns. A malicious actor can change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
  • Hackers can tamper with, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opens the door for an attacker to hide evidence of a crime or even incriminate an innocent person.
  • The vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.

 

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point. “We applaud Facebook for such a rapid response and putting security first for their users.”

  

Full Technical Analysis

 

Check Point Security Researcher Roman Zaikin discovered the vulnerability allows hackers to control the Facebook chat and adjust the messages according to his needs, including deleting them and replacing text, links, and files.

 

Each message in the Facebook chat applications, both online and mobile, has its own identifier “message_id” parameter. An attacker can store this request, containing the identifier, via a proxy while he launches his malicious attempt.

 

The image below shows a request sent to: www.facebook.com/ajax/mercury/send_message.php

 

FB1

Figure 1: Sending Message

An attacker can reveal the “message_id” by sending the request to: www.facebook.com/ajax/mercury/thread_info.php

FB2

Figure 2: Revealing Message IDs

 

Once the attacker has found the message ID, he can alter the content of the message and send it to the Facebook servers. The content is changed without a push message to the users’ PC or mobile device.

 

POC – abusing the vulnerability for a ransomware campaign

 

By abusing Facebook chat or Messenger chat, attackers can alter conversations for various purposes. In this section, we will demonstrate a possible attack flow which exploits this vulnerability to distribute ransomware.

 

First, the attacker sends a legitimate message to a potential target:

 

FB3

Figure 3: Legitimate Contact

 

The attacker will then alter the message to contain an infected link or file. As you can see in the image below, the message “Hi” changed to “RANSOMWARE COMMAND AND CONTROL ROULETTE”.

 

FB4

Figure 4: Altering The Message

 

Next, the hacker can manipulate the same attack vector to overcome one of the biggest challenges standing in the face of ransomware today: maintaining an active command & control server. Usually, ransomware campaigns last only several days because the infected links and the C&C addresses become known, and blocked by security vendors, forcing the attacker to shut down his activity and begin again from scratch. However, with this vulnerability, the hacker could implement automation techniques to continually outsmart security measures when the command & control servers are replaced.

 

Check Point disclosed the vulnerability to Facebook and Facebook took immediate action to patch the vulnerability.

 

Check Point continues to be on the lookout for vulnerabilities in common software and internet platforms, disclosing issues as they are discovered, alerting, protecting consumers and customers against tomorrow’s threats.

 

Click here to watch the full demo


  1. Nice find, but it sounds a bit overexposed. The way it is explained, anyone that wants to use this vulnerability would need to be the original sender ór have access to the person’s facebook account.
    The explanation above writes that the request sent to the sendMessage API (containing the message id), can be reveiled by sending the same request to the thread_info API.
    Reading only this brings up the question: if you already know the contents of the original request (and the message id is contained in it), why would one bother to re-gain it through the thread_info API?
    The answer is most likely (hopefully!) in the fact that the original request is sent encrypted (instead of plain text); in that case, re-sending the same encrypted message to the thread_info API resulting in giving back the message id sounds like a serious issue… If that is the vulnerability that is attempted to be explained above, then please update the description to make it more clear.

Comments are closed.