A critical vulnerability known as the "Originull" bug has exposed Facebook Messenger conversations to hackers, but Facebook reportedly patched it as soon as it found out.
Instant messaging apps such as Facebook Messenger, WhatsApp, Viber and others have gradually replaced traditional text messages, but have also exposed users to new threats.
Facebook Messenger amasses a vast user base of more than one billion active monthly users, but are messages exchanged on the platform secure?
Facebook Messenger Private Messages Exposed
Security research firm Cynet reported earlier this week that a critical vulnerability threatened Facebook Messenger security and privacy. According to the report, the Originull hack potentially affects millions of websites that rely on the origin null restriction checks, exposing them to hacks.
Originull is a cross-origin bypass attack that enables hackers to use an external website to read Facebook users' private messages. The critical vulnerability reportedly affected both the mobile app and the website.
"Unlike photo and status features designed specifically for sharing and publishing, the power of Messenger is in the ability to communicate privately," Cynet points out.
"The hack, dubbed 'Originull,' enables an attacker to access and view all of a user's private chats, photos and other attachments sent via Facebook Messenger."
Cynet researcher Ysrael Gurt discovered and reported the flaw to Facebook and the social network has already taken action, patching the vulnerability.
How It Happened
Web browsers typically protect users from such hacks by only allowing Facebook pages to handle the information. This bug, however, prompted Facebook to draw a bridge allowing its subsites to access the data. The flaw that Gurt found related to how Facebook manages the identity of subsites such as Facebook Messenger.
Hackers could exploit the flaw by tricking Facebook Messenger users to visit a malicious website, thus gaining access to their private messages - both sent and received. The "bait" could be a security issue notification, a malicious ad or the hacker's own website.
For more technical information, check out Cynet's detailed report [PDF].
Prompt Reaction
As alarming as it is that a vulnerability enabled hackers to access private conversations, photos, videos, and other information transmitted through Facebook Messenger, it's commendable that Facebook took action immediately and patched the flawed element as soon as it was brought to its attention.
Facebook has not issued any statement in this regard and it remains unclear whether the hack was actually exploited and, if so, how many users' messages were compromised.
To get a better idea of what happened, check out Cynet's video below.
Photo: Kārlis Dambrāns | Flickr
