Wednesday, 14 December 2016

Facebook Messenger Hijacked(Originnull Vulnerability)

Critical Issue found in Private Chats of Facebook which allowed attackers to read all your Private Conversations.

A Security Researcher has discovered this Vulnerability which is affecting the privacy of around 1.8 billion messenger users.


How Attackers targeting us?

All they are doing is redirecting us to a malicious website. Once we have clicked on the link. All private conversations either from Facebook messenger or a web browser, would be accessible to attacker including photos and video's as well.

Dubbed Origin-null Vulnerability as Facebook hats are linked to another servers {number}-edge-chat.facebook.com which is not on actual Facebook domain.

This Issue was discovered and reported to Facebook by Security Researcher Ysrael Gurt(Facebook has since fix this flaw.)


The Vulnerability discovered is a cross-origin bypass attack which allows the hacker to use an external website to access and read a use's private Facebook messages. Normally the Browser protects Messenger users from such occurrences by only allowing Facebook pages to access this information. However, Facebook opens a "bridge", in order to enable "subsites" of Facebook.com to access Messenger Information. A Vulnerability in the manner in which Facebook manages the identity of these subsites makes it possible for a malicious website to access private Messenger Chats.


"Communication between the JavaScript and the server is done by XML HTTP Request (XHR). In order to access the data that arrives from 5-edge-chat.facebook.com in JavaScript, Facebook must add the "Access-Control-Allow-Origin" header with the caller’s origin, and the "Access-Control-Allow-Credentials" header with "true" value, so that the data is accessible even when the cookies are sent," Gurt explained"

The root of this issue was misconfigured cross-origin header implementation on Facebook's chat server domain, which allowed an attacker to bypass origin checks and access Facebook messages from an external website.

This was a critical issue, not only due to high number of affected users, but also because if any victim sent their messages using another computer or mobile, they were still completely Vulnerable"


 Access-Control-Allow-Origin: null

Gurt has also release a proof-of concept video demonstration of Originnull vulnerability, which shows the cross-origin-bypass-attack in action.


The Researcher disclosed this critical Vulnerability to Facebook through Bug Bounty Program.

Facebook team has acknowledged the issue and patched the Vulnerable Component.

No comments:

Post a Comment