A new security flaw in the Web version of Facebook Messenger could be allowing any website to see the names of people to whom you have been texting.
The security researcher Ron Masas from Imperva, an online privacy monitoring website, reported the vulnerability as “Cross-Site Frame Leakage” (CSFL)—a side-channel attack, performed on an end user’s web browser’, which was first spotted in November.
“As happens with applications I regularly use, I felt the need to understand how Facebook Messenger works,” Masas wrote in a blog post.
The flaw exploits an element called ‘iframe’, it is used to see notice whether a user is active or passive on the Facebook messenger.
“I started poking around the Messenger Web application and noticed that iFrame elements were dominating the user interface,” he continued. “The chat box, as well as the contact list, were rendered in iFrames, opening the possibility for a CSFL attack.”
“This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy.’
‘By recording the frame count data over time, I found two new ways to leak cross-origin information.
‘By looking at patterns instead of a static number, I was able to leak the “state” of a cross-origin window.’
Facebook messenger has now removed all the active iFrames from its website.
‘The bug is a browser issue related to how they handle content embedded in webpages and could affect any site, not just Messenger.com,’ a Facebook spokesperson told MailOnline.
‘We already fixed the issue for Messenger.com last year to safeguard our users and made recommendations to browser makers to prevent this type of issue from happening.’