A Facebook Bug Allowed Hackers to Delete and Modify Sent Messages


Ever regretted hitting the Send/Enter button just a little too quickly on Facebook Messenger? Wouldn't you love having a way to modify your sent messages? Even better, what if Facebook lets you delete the messages from the receiver's end. It would be awesome getting rid of all those embarrassing messages you might have sent to someone you once had a crush on. If you have been plotting about a possible account takeover to remove the messages you have sent, researchers have come to your aid, saying that it is indeed possible.

Facebook Messenger exploit lets you modify and delete messages sent to others

Researchers from the security firm Check Point have shown that you can modify or change the messages after you have hit the Send button in Facebook Messenger. Roman Zaikin, a security researcher shared that a simple HTML tweak could be used to modify or delete messages, photos, files, and links from the target's Facebook account.

The issue stems from how Facebook assigns identities to chat messages. Each of the messages in Facebook Messenger has a unique "message_id" identifier that an attacker could obtain by sending a request to www.facebook.com/ajax/mercury/thread_info.php. Attacker can send a modified message using the same ID, thereby replacing the previous message. Facebook would then consider the new message as legitimate and remove the original message content.

While a simple bug, it could be exploited to send malicious links that could then lead to malware installation on the victim's devices. Researchers have released a proof-of-concept video that shows the Facebook Messenger vulnerability in action.

Facebook has rated the vulnerability as low risk. An interesting exploit, it could lead to severe consequences for target users. For one, it could lead to fraud campaigns that will change the legitimate links and files with malicious content. "Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person," Check Point research team noted.

The security research firm claims that the flaw affected both the web and mobile versions of the messaging application. However, Facebook has said that it only impacted the Android app of Facebook Messenger, and that the "message duplication" can only be exploited to change your own messages, not someone else's. In a blog post published earlier today, Facebook shared;

This bug affected the Android Messenger interface, but the message content was still correctly reflected on other platforms. We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn't permanently changed.

The researchers informed Facebook about this vulnerability earlier this month, and the social networking giant has already fixed the issue. "Based on our investigation, this simple misconfiguration in the Messenger app on Android turned out to be a low risk issue and it's already been fixed," Facebook said.