Skip to main content
  1. Home
  2. Computing
  3. News

Vulnerability in Facebook's messaging enabled hackers to insert malicious items

By
Facebook Vulnerability Demo
Check Point Software Technologies said on Tuesday that it discovered a vulnerability in the Facebook Messenger app and Facebook Online Chat that could potentially allow a hacker to change the conversation thread. While that doesn’t seem all that alarming at first glance (as compared to hacking an account and grabbing credit card details), the hacker could inject links into the conversation, sending recipients to a malicious website. Malicious videos and photos could be added too.

But there are even bigger risks. The company points out that hackers could manipulate a victim’s message history in a fraud campaign to show that the individual reached a “falsified” agreement. Hackers can also alter important messages in a Facebook chat that could cause legal issues, making the victim look guilty in a potential crime even though he or she is innocent.

Recommended Videos

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” said Oded Vanunu, head of products vulnerability research at Check Point.

Related

According to the company, researcher Roman Zaikin found the vulnerability. He discovered that messages sent and received in both chat applications have their own identifier “message_id” parameter. The hacker can get this information by sending a request to a specific Facebook address, and once it’s obtained, the hacker can alter the content of the attached message and send it to Facebook’s servers. Thus, users have no idea their messages were altered.

As an example of an attack, the hacker could send a legitimate message to a potential victim. Once the message is received, the hacker can then alter that message to include a malicious link or file. In the video demo shown above, viewers can clearly see Zaikin controlling the entire Facebook chat, texting that cybercriminals can send malicious content through the vulnerability and fully control the conversation. The infection points can be adjusted “seamlessly,” he writes, and the message remotely deleted from the Facebook account to cover the hacker’s tracks.

“Usually, ransomware campaigns last only several days because the infected links and the C&C addresses become known, and blocked by security vendors, forcing the attacker to shut down his activity and begin again from scratch,” the company wrote in a recent blog post. “However, with this vulnerability, the hacker could implement automation techniques to continually outsmart security measures when the command & control servers are replaced.”

While the report sounds a bit scary knowing that Facebook users could potentially send malware to friends unintentionally, the good news here is that Facebook immediately fixed the vulnerability after it was contacted by Check Point. Still, it’s only a matter of time before another vulnerability is found and Facebook users will have to worry about what they send and receive in chat conversations through the social network. Until then, Facebook members can chat to their heart’s content!

Editors' Recommendations

Topics
Kevin Parrish
Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Facebook admits to Messenger Kids security flaw but insists it’s fixed
unicef global innovations children youth summit kids using a tablet

Facebook missed a troubling design flaw in its Messenger Kids app that allowed children to communicate with users who hadn’t been approved by their parents.

The social networking giant launched the app in 2017, touting it as a way for children under 13 to “safely video chat and message with family and friends.” Parents set up Messenger Kids by authorizing it through their own Facebook account and then selecting the users with whom they’re happy for their child to connect.

Read more
Best HP laptop deals: Get a 17-inch workhorse for $370 and more
An open HP Spectre x360 16 sits on a table, angled so that the screen and keyboard can be seen.

HP is one of the best laptop brands on the market, and if you're thinking of picking up a new laptop, then you may want to consider one of its many varieties of laptops. Not only that, but HP usually has some form of deal going on each of its sub-brans, so whether you're looking for an HP Omen gaming laptop or a Spectre X360 2-in-1 convertible, you'll likely find a good deal on it. Of course, it can be hard to navigate the dozens of different types of laptops HP has, which is why we've gone out and collected some of our favorite deals to help save you the trouble. That said, if you can't find quite what you're looking for below, be sure to check out these other great laptop deals and gaming laptop deals as well.
HP Laptop 15z -- $250, was $500

If you need a budget laptop for basic tasks, you can't go wrong with the HP Laptop 15z. With its AMD Athlon Silver 7120U processor, AMD Radeon Graphics, and 8GB of RAM, it's going to be a dependable device for doing online research and working with productivity apps. The laptop features a 128GB SSD with Windows 11 Home pre-loaded, and a relatively large 15.6-inch HD screen for its low price.

Read more
Some Intel CPUs are about to take a big performance hit, report says
Intel's 14900K CPU socketed in a motherboard.

High-end Intel CPUs are about to lose some significant performance, according to a new report from BenchLife (via VideoCardz). The outlet claims Intel has sent guidance to motherboard partners to implement the Intel Default Settings on Z790 motherboards, following a wave of reports of instability on recent high-end Intel CPUs.

According to the report, these default settings will enforce a PL2 of 188 watts. Intel maintains power limits (PL) for its processors. PL1 is the base power, or the power that the processor can sustain for long periods of time. PL2 is the maximum boost power, which the processor can hit for brief spurts when under a heavy load.

Read more