Facebook’s got pretty bad luck with privacy — even in cases where it isn’t their fault.
A new vulnerability has been discovered by security company Imperva which allowed hackers to see who users had been chatting with on Facebook.
The exploit involved tricking the user into clicking on a malicious site. Once that happened, a background tab would open and the hacker could do their business while the user was occupied — however briefly.
Imperva’s blog goes on to explain:
The new tab would start playing a video, keeping the user busy while we load the user messenger conversation endpoint in the background tab. While Messenger loads in the background, we record the iframe count as I previously explained, allowing us to detect whether or not the current user has been in contact with specific users or Facebook Messenger bots.
Facebook has fixed this as soon as it was made aware of the issue, but other sites and series remain vulnerable as of now.
“The issue in his report stems from the way web browsers handle content embedded in webpages and is not specific to Facebook,” a Facebook spokesperson told Gizmodo in response to a query. “We’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from happening in other web applications, and we’ve updated the web version of Messenger to ensure this browser behavior isn’t triggered on our service.”
You can read about the full vulnerability in the source link below.