Facebook has patched a vulnerability in the desktop and mobile versions of its Messenger app that allows an attacker to access and modify chats, exposing the victim to potential fraud and malware.
Researchers at Check Point Software Technologies privately disclosed the issue May 2 to Facebook, which patched it two weeks later. The flaw, Check Point said, allows an attacker to, among other things, access chat history and add or change links to a chat session. If the victim is persuaded to click on what is now a malicious link, they could start a malware download or establish a connection to an attacker’s command and control server.
Check Point said the victim would be unaware of the changes, and that chat threads could be deleted or modified, and also links and files could be replaced or added; researcher Roman Zaikin is credited with the discovery.