Monday, 27. June 2016

Facebook Messenger flaw underscores risk of growing reliance on chat platforms

Users should be cautious when utilizing online chat platforms, and be sure to keep an eye out for anything suspicious. In recent years, chat platforms have exploded in popularity. This is true not only for consumer-level users, but enterprises users as well as businesses continue to adopt real-time communication platforms to enhance productivity.

While an array of options now exist – including WhatsApp, Yahoo Messenger and Signal – Facebook Messenger is arguably the most utilized of the bunch. The social media giant cemented its status in the market when it released Messenger, and with 900 million users as of April 2016, it's hard to argue against its acclaim. According to Expanded Ramblings, the platform really took off after Facebook lifted certain rules requiring users to have an account:

•  Currently, 11 percent of the global population uses Messenger on a monthly basis.
•  Overall, more than 9 million photos are sent via the platform each month.
•  As of late 2015, Messenger had been downloaded 1 billion times in the Google Play store.

However, a recently discovered flaw made for a worrisome situation for both Facebook and the millions that have Messenger on their mobile devices.

Facebook flaw: Ability to alter messages  Tom's Hardware contributor Lucian Armasu reported in early June that security researchers had pinpointed a vulnerability in both the web browser and mobile app version of Messenger that would provide certain malicious capabilities to hackers. Further research uncovered that the processes cyber criminals were able to carry out by exploiting this weakness were actually functions that Facebook itself already had access to.

Check Point security researchers found that by obtaining the ID of a user's message, a hacker could transmit a modified version of the message to Facebook's servers, all without the user's knowledge. This opens the door for further, potentially harmful activity, including using the chat platform and connected servers to spread malware to other users.

Even more unsettling is the fact that the message ID isn't all that difficult to ascertain. In fact, Armasu noted that all a hacker would need is some basic HTML skills and a simple browser debugging tool.

"This form of attack can be a profitable strategy for bad actors, who could send malware or ransomware to people's chats by altering one of the existing messages to contain a link to the malware," Armasu wrote. "The attack could also be used to falsify certain details of an agreement or transaction."

However, this isn't a new capability for the platform – before the discovery of this vulnerability, Facebook normally stored users' messages on its servers, and had the ability to modify messages anyway. 

Potential for harm However, it isn't just written content that the vulnerability granted access to. According to SC Magazine Managing Editor Greg Masters, the weakness would also enable hackers to alter photos, attached files or embedded links. Changing chat histories could have devastating consequences when leveraged for harmful purposes, as Masters pointed out.

"Miscreants could have embedded information in Facebook chats, which because the chats could be presented as evidence in legal matters, could have opened the door to false charges," Masters wrote. "The bug also could have allowed the distribution of malware by letting attackers change links and even update them later on to keep current with C&C servers."

A quick fix Thankfully, the social media giant wasted no time in correcting the issue, while also noting that certain aspects of the situation might have been reported incorrectly. A Facebook spokesperson wrote in a statement that the bug enabled users to change their own messages, and that this ability was only temporarily available until the platform refreshed server-side data. What's more, the original versions of messages were also stored, meaning that even if alterations took place, there was still a way to view the unedited versions of chats.

"All of these points make systematic abuse very difficult," Facebook noted.

A growing problem Facebook Messenger isn't the only platform to be impacted by potentially damaging flaws. Trend Micro researcher Rik Ferguson wrote about an experience he recently had with a compromised chat account. A message appeared on the screen from a friend's account, but Ferguson quickly realized that the user on the other end was a chatbot. The bot sent Ferguson a likely compromised link to an IQ test, baiting him to see if he could beat his "friend's" score. Ferguson didn't fall for the ploy, and used the example to demonstrate the rising use of this type of attack. 

"[This] serves to underline the fact that this stuff is absolutely already being used in criminal campaigns and coming to a social network near you as soon as the credibility level can be increased," Ferguson wrote.

Protecting against chatbots Before the flaw was ever discovered and subsequently fixed in Facebook Messenger, the social media giant announced that its next iteration of the chat platform would include encryption, a protection measure that's lacking from the current version. Other similar apps like WhatsApp already have end-to-end encryption in place.

"The system will let users deploy so-called end-to-end encryption meant to block both authorities and Facebook from reading users' texts," The Guardian reported after the announcement was made in May. "Facebook's move illustrates how technology companies are doubling down on secure messaging."

However, as more people continue to leverage chat platforms – including both businesses and consumers alike – it's important that users understand the risks involved and take the necessary steps to protect themselves. Users should be cautious when utilizing online chat platforms, and be sure to keep an eye out for anything suspicious. Similar to Ferguson's example, unfamiliar language or other cues can help individuals identify a compromised account. If there is any uncertainty, users should attempt to double check with senders in person to ensure that links or other content transmitted was sent by an authorized user.

In addition to being aware of current threats, it's also important to have anti-malware and monitoring software installed at the network-level, as well as on each endpoint. This can help ensure that should suspicious activity fall through the cracks, hackers will not be able to further breach the platform or overarching infrastructure.