Instant messaging is a blessing and a curse. It's a convenient way to keep in touch with friends from all over the world but it also means whatever you say will stay online forever. You can't exactly erase anything you regret sending, especially not from the receiver's end. Or can you? Researchers from security vendor Check Point found a way to do so through a vulnerability on Facebook's popular Messenger app.
Video of the bug in action (from Check Point)
How many times have you said something stupid, be it carelessly or in a fit of rage, over a message online that you regretted almost instantly after pressing the send button? You desperately want to retract it, but you can't. Even if you delete it off your own chat log, the recipient still has it on their chat history. There's really no way to erase a sent message on your own on most if not all online chatting apps and Facebook Messenger is no exception.
But researchers at Check Point found a vulnerability that could let someone do this. According to the company, the security flaw gives attackers a way to change conversation threads on Facebook Online Chat and Messenger App. You can modify or remove any sent messages, photos and files from somebody's chat history.
Having said that, if you've had foot-in-mouth and really hurt someone with your words, it's probably not wise to hack their account to wipe away the evidence.
From a more practical perspective, considering Facebook wants to turn Messenger into a serious business tool, this could give attackers incentive to exploit these types of security flaws. According to Check Point, here are some potential scenarios:
- Malicious users can manipulate message history as part of fraud campaigns. A malicious actor can change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
- Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.
- The vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.
The vendor notified Facebook of the bug and it was swiftly patched.
You can find an analysis of the vulnerability over on the Check Point security blog.
[Via Check Point blog]