JUST A DAY after Mr Facebook himself, Mark Zuckerberg, assured people he wanted Facebook to be a privacy-focused platform, security researchers have revealed it's just as susceptible to leaks as ever.
In a new blog post, security firm Imperva demonstrated how an iframe bug in Messenger would allow hackers to find out exactly who you've been talking to on the platform. Hackers wouldn't be able to see what you were saying or when, just that you'd ever spoken to someone on it.
The exploit would occur via a third-party website in the form of a CSFL (Cross-Site Frame Leakage) attack. That's a method that exploits the cross-origin properties of iframes to check on their state, and it would require a user to be logged in to Facebook at the same time.
In this vulnerability, a hacker would be able to run the process on any individual Messenger contact revealing either a full or empty state. If it was the former, they'd chatted, if it was the latter, they hadn't.
Initially Facebook tried to get around the problem by randomising the iframe elements, but Imperva explained that an algorithm could still reveal the same information. So Facebook waved the white flag and removed iframes from Messenger completely.
As the company said in a statement to The Verge: "The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook."
That's a problem, as they're not the most commonly spotted of exploits, as Imperva's Ron Masas wrote in his conclusion: "Browser-based side channel attacks are still an overlooked subject. While big players like Facebook and Google are catching up, most of the industry is still unaware." µ
Some deliberately, others through stupidity
Quite the business expense
It's another quantum leap camera
Evolution, not revolution, but that's just fine