A Facebook bug allowed hackers to target a person through their web browser, and find out exactly who they were conversing with on Facebook Messenger, according to a blog post published on Thursday by a security researcher.
While Ron Masas, a researcher at security firm Imperva, said the bug was disclosed last year and has been patched, it is just the latest example of the privacy and security concerns that have dogged Facebook over the past year.
If Facebook users were still logged into their accounts and visited a malicious site, they could be targeted, according to Masas. A skilled hacker could pull off the high-level attack by exploiting iframes, which allow websites to show content from an outside source. The attack doesn’t allow hackers to see the messages, according to Masas, but it does allow them to see a list of exactly who their target contacted.
Facebook has since removed iframes, which were used to readjust content or text when a Messenger window size changed.
“We appreciate the researcher’s submission to our bug bounty program,” a Facebook spokesperson said in a statement to Fortune. “The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook. We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
In a lengthy note on Wednesday titled “A Privacy-Focused Vision for Social Networking,” Facebook CEO Mark Zuckerberg said he wants to focus on encrypted messaging on Messenger, Instagram, and WhatsApp.
“As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today’s open platforms,” Zuckerberg wrote. “I expect future versions of Messenger and WhatsApp to become the main ways people communicate on the Facebook network.”
