Just a day after Facebook founder Mark Zuckerberg spoke about its "privacy-focused vision" for WhatsApp, Facebook, and Instagram, a cybersecurity firm Imperva detailed a bug in Facebook Messenger that allowed websites to gain access to users' data, including the person they were chatting with. The vulnerability in the web version of the Messenger allowed any website to expose who you have been messaging. Facebook said Thursday it had patched the bug in December.
In a blog post, Ron Masas, researcher with cyber security company Imperva, said that the bug was a threat to users' privacy and revealed the person you were in touch with. The bug, however, did not reveal the content of the messages.
"It could be sent to high-profile targets to figure out who they've had a conversation with," Masas said. "If you sent a message to a bot to order pizzas, I would know."
The hack was done by sending a link of the malicious site to the Messenger user. Once the user clicked anywhere on the page, a new window would open - potentially out of view of the user - and allow the hacker to spy whether the user had been or had not been in conversation with other users on Messenger.
Once the vulnerability was patched, a Facebook spokesperson said in a statement, "We've updated the web version of Messenger to ensure this browser behaviour isn't triggered on our service." The spokesperson also made several recommendations to the browser makers and web standard groups to take steps to prevent such issues in other web applications.
Earlier in a blog post, Facebook CEO Mark Zuckerberg had said that the future of communication is shifting towards private and encrypted services.
"As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today's open platforms," Zuckerberg wrote. "I expect future versions of Messenger and WhatsApp to become the main ways people communicate on the Facebook network."
Edited By: Udit Verma