FACEBOOK VOICE MESSAGES HACKED

Simple hack allows hackers to listen all your Facebook Messenger voice messages as well as Facebook own Whatsapp.

A Security Researcher Mohamed A. Baset has says that a Vulnerability in Facebook allows a hacker to your private Facebook voice messages sent over chat. This is possible due to the lack of proper authentication and HSTS policy on Facebook CDN servers. While Facebook has acknowledged bug, it's a yet to patch it.  The Company has also said that it's working to roll out HSTS to its sub domains.

How does a Hacker listen to your Facebook voice message?
Here’s a proof-of-concept video of the Facebook voice messages CDN hack:
Facebook Has Still Not Patched This Bug

Both Facebook Messenger and Whatsapp allow users to send voice messages  using the Mic icon in the chat bar.  Most users don't use Facebook Messenger voice message feature, it is still very popular. 

Whenever you are sending a message to anyone just be aware of that your messages might be sniffed by potential hackers(MITM Attack).

Egyptian Security Researcher Mohamed A. Baset has a found a Vulnerability in Facebook Messenger's audia clip recording feature that allows any hacker to listen the voice messages.

MITM attack allows any hacker to grab your audio clip files from Facebook Server.

How does a Hacker Listen to the Message?

The Facebook Messenger voice chat flaw is so simple that a hacker with minimum technical skill can exploit it. Whenever a person records an audio clip and sends it to some other person, the clip is uploaded to Facebook’s CDN server for example https://z-1-cdn.fbsbx.com/…, from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.

Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.

Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.

Baset explains that the issue lies in the way the chat is exchanged over HTTPS to HTTP servers. Facebook is yet to implement a highly secure transport protocol called HSTS. HSTS (HTTP Strict Transport Security) forces browsers to access a website only over an HTTPS connection while disallowing communication between a secured and unsecured web server. In this case, Facebook is yet to roll out HSTS policy for its chat servers. The issue is worsened due to the fact that Facebook also lacks proper authentication allowing any hacker to launch a MiTM attack and snoop on the voice chat.

Though the FB voice chat vulnerability looks critical, Facebook is yet to patch it. Baset has informed Facebook security engineers about the vulnerability long back. While Facebook engineers have acknowledged the bug, it didn’t offer any bug bounty to Baset neither has it patched the bug. “The fact that we have not rolled it (HSTS) out on particular subdomains does not constitute a valid report under our program,” the company said.

“In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify,” It added.

Proof Of Concept :Bug Not Yet Fixed