Facebook Messenger is quickly becoming a popular method of communication, and rightfully so. It’s integrated well into the greater Facebook eco-system that’s so commonly used and the standalone app has been sufficiently improved to actually be useful. But it seems that there’s a way for someone to modify someone’s chat history and even spread malware using Facebook Messenger as a medium.
A fatal flaw in Facebook Messenger lets others peruse and pretend to be you, among other nastier things
The vulnerability exists almost solely because all of your messages are stored on Facebook’s servers themselves, and retrieved by your devices. Someone only needs the ID of the message in question in order to find it and even change it. That ID can be found within the session information being passed between either the app or your browser with Facebook’s servers when you’re using Facebook Messenger. Almost 800 million people use the chat application, and all are at risk.
If a would-be attacker does gain access to a given message between one or more people, then they can modify the message and append an attachment that has malware attached. The server will update the conversation on every device which could end up actually spreading malware or ransomware. Depending on how clever the attachment is and how natural it fits into the flow of the conversation.
Interestingly, if Facebook brought itself into modern times and used end-to-end encryption then this wouldn’t be a problem at all, because the session ID would be encrypted along with the rest of the conversation. This would prevent anyone from snooping the ID in the first place. It would be even better if those messages were encrypted at rest while on Facebook’s servers as well.
Soruce: Check Point Security