Facebook bug allowed other users see your personal chats

Recently, a Facebook bug was found that allowed websites to gain user data due to a security flaw regarding cross-site frame leakage (CSFL). Now, the same team has discovered a now-fixed vulnerability that allowed websites to expose your personal chats through Facebook Messenger.

Imperva security researcher Ron Masas explained in a blog post how a CSFL attack could use the properties of iFrame elements and exploit an application. Running the same process through individual Messenger contacts would show either of the two states - full or empty. This determines whether a user has ever messaged that particular contact or not.

This doesn't go beyond that point. The process didn't retrieve conversations or show chat data, it just showed binary data with very few applications. So please put your nefarious plans to rest (if you had any).

Facebook was made aware of this bug, and given the history, the social media giant will be removing all iFrames from chatting service totally.

"Browser-based side-channel attacks are still an overlooked subject," Mases writes on the Imperva blog. "While big players like Facebook and Google are catching up, most of the industry is still unaware."

Besides, Facebook is also planning to add new features to its Messenger app. If the leaks are to be believed, the Messenger will soon get an 'unsend' button. However, there is no clear information regarding when exactly this feature will be rolled out to the users.

The addition of the new features seems important at the moment as the social media platform continues to lose active users at a drastic rate. However, its sister platform Instagram is gaining popularity exponentially.