But there are even bigger risks. The company points out that hackers could manipulate a victim’s message history in a fraud campaign to show that the individual reached a “falsified” agreement. Hackers can also alter important messages in a Facebook chat that could cause legal issues, making the victim look guilty in a potential crime even though he or she is innocent.
“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” said Oded Vanunu, head of products vulnerability research at Check Point.
According to the company, researcher Roman Zaikin found the vulnerability. He discovered that messages sent and received in both chat applications have their own identifier “message_id” parameter. The hacker can get this information by sending a request to a specific Facebook address, and once it’s obtained, the hacker can alter the content of the attached message and send it to Facebook’s servers. Thus, users have no idea their messages were altered.
As an example of an attack, the hacker could send a legitimate message to a potential victim. Once the message is received, the hacker can then alter that message to include a malicious link or file. In the video demo shown above, viewers can clearly see Zaikin controlling the entire Facebook chat, texting that cybercriminals can send malicious content through the vulnerability and fully control the conversation. The infection points can be adjusted “seamlessly,” he writes, and the message remotely deleted from the
“Usually, ransomware campaigns last only several days because the infected links and the C&C addresses become known, and blocked by security vendors, forcing the attacker to shut down his activity and begin again from scratch,” the company wrote in a recent blog post. “However, with this vulnerability, the hacker could implement automation techniques to continually outsmart security measures when the command & control servers are replaced.”
While the report sounds a bit scary knowing that Facebook users could potentially send malware to friends unintentionally, the good news here is that
- How to watch Google’s highly anticipated AI event in Paris today
- 5 features I’m itching to try in Microsoft’s ChatGPT-powered Edge Browser
- Microsoft is bringing ChatGPT to your browser, and you can test it out right now
- Experts fear ChatGPT will soon be used in devastating cyberattacks
- TikTok should be expelled from app stores, senator says