Skip to main content

Vulnerability in Facebook's messaging enabled hackers to insert malicious items

Check Point Software Technologies said on Tuesday that it discovered a vulnerability in the Facebook Messenger app and Facebook Online Chat that could potentially allow a hacker to change the conversation thread. While that doesn’t seem all that alarming at first glance (as compared to hacking an account and grabbing credit card details), the hacker could inject links into the conversation, sending recipients to a malicious website. Malicious videos and photos could be added too.

But there are even bigger risks. The company points out that hackers could manipulate a victim’s message history in a fraud campaign to show that the individual reached a “falsified” agreement. Hackers can also alter important messages in a Facebook chat that could cause legal issues, making the victim look guilty in a potential crime even though he or she is innocent.

Recommended Videos

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations,” said Oded Vanunu, head of products vulnerability research at Check Point.

According to the company, researcher Roman Zaikin found the vulnerability. He discovered that messages sent and received in both chat applications have their own identifier “message_id” parameter. The hacker can get this information by sending a request to a specific Facebook address, and once it’s obtained, the hacker can alter the content of the attached message and send it to Facebook’s servers. Thus, users have no idea their messages were altered.

As an example of an attack, the hacker could send a legitimate message to a potential victim. Once the message is received, the hacker can then alter that message to include a malicious link or file. In the video demo shown above, viewers can clearly see Zaikin controlling the entire Facebook chat, texting that cybercriminals can send malicious content through the vulnerability and fully control the conversation. The infection points can be adjusted “seamlessly,” he writes, and the message remotely deleted from the Facebook account to cover the hacker’s tracks.

“Usually, ransomware campaigns last only several days because the infected links and the C&C addresses become known, and blocked by security vendors, forcing the attacker to shut down his activity and begin again from scratch,” the company wrote in a recent blog post. “However, with this vulnerability, the hacker could implement automation techniques to continually outsmart security measures when the command & control servers are replaced.”

While the report sounds a bit scary knowing that Facebook users could potentially send malware to friends unintentionally, the good news here is that Facebook immediately fixed the vulnerability after it was contacted by Check Point. Still, it’s only a matter of time before another vulnerability is found and Facebook users will have to worry about what they send and receive in chat conversations through the social network. Until then, Facebook members can chat to their heart’s content!

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Best of Computex 2025 awards: The tech that impressed us the most
Best of Computex 2025

Although Computex 2025 is still far from over, the biggest announcements have already been dropped, and this year's event turned out to be quite exciting. From graphics cards to laptops and monitors, there's plenty of options for a tech enthusiast to dig into, and some -- if not most -- of these new innovations are already available, or will be soon.

Out of all the thrilling new tech that companies such as AMD, Asus, Acer, and MSI announced, what impressed us the most? Below, you'll find the new releases that scored our Best of Computex 2025 award.

Read more
Google IO 2025 summary: 5 big announcements you’ll want to know
Google IO 2025 logo on the surface of the earth

Google IO 2025 delivered us a huge helping of AI during the almost two-hour opening keynote.

Google's CEO, Sundar Pichai, and colleagues got through an awful lot on stage, and while some of the talk was aimed primarily at developers, there were plenty of big announcements for us - the people on the street - to explore.

Read more
How to keep your Apple devices safe from AirPlay attacks
Apple AirPlay streaming to another device.

Apple’s approach to building new features has always been rooted in safety and seamless convenience. Take, for example, AirPlay, a wireless standard created by the company that allows users to stream audio and video from one device to another.

AirPlay works not just across Apple devices, but also on TVs and speakers cleared by the company to offer the wireless streaming facility. That also makes it a ripe target for attacks, and it seems there are, in fact, vulnerabilities in the wireless lanes that could allow bad actors to seed malware and infect more connected devices. 

Read more