Critical Issue found in Private Chats of Facebook which allowed attackers to read all your Private Conversations.
All they are doing is redirecting us to a malicious website. Once we have clicked on the link. All private conversations either from Facebook messenger or a web browser, would be accessible to attacker including photos and video's as well.
Dubbed Origin-null Vulnerability as Facebook hats are linked to another servers {number}-edge-chat.facebook.com which is not on actual Facebook domain.
This Issue was discovered and reported to Facebook by Security Researcher Ysrael Gurt(Facebook has since fix this flaw.)
"Communication between the JavaScript and the server is done
by XML HTTP Request (XHR). In order to access the data that arrives from
5-edge-chat.facebook.com in JavaScript, Facebook must add the
"Access-Control-Allow-Origin" header with the caller’s origin, and
the "Access-Control-Allow-Credentials" header with "true"
value, so that the data is accessible even when the cookies are sent,"
Gurt explained"
The root of this issue
was misconfigured cross-origin header implementation on Facebook's chat server domain,
which allowed an attacker to bypass origin checks and access Facebook messages
from an external website.
This was a critical issue, not only due to high number of affected users, but also because if any victim sent their messages using another computer or mobile, they were still completely Vulnerable"
Access-Control-Allow-Origin: null
Gurt has also release a proof-of concept video demonstration of Originnull vulnerability, which shows the cross-origin-bypass-attack in action.
The Researcher disclosed this critical Vulnerability to Facebook through Bug Bounty Program.
Facebook team has acknowledged the issue and patched the Vulnerable Component.
