Facebook Messenger was vulnerable to an attack that required basic HTML knowledge.

The Check Point security team found in the standard Facebook functionality, as well as in the Facebook Messenger, a vulnerability that allowed access to any user messages sent via the social network.

Specifically, the exploit allowed anyone to access user messages and modify their content, that is, for example, potentially distribute malicious software.

To use the exploit, the attacker needed to acquire only a unique message ID by sending a request to www.facebook.com/ajax/mercury/thread_info.php .
')
The whole operation requires only basic knowledge of HTML and a modern browser, which has a debugging mode. After finding the message ID, the attacker can change it, messages, content and send it to the Facebook server to bypass the real user account.


Change message

What was the danger of this vulnerability? Facebook, as a social network, has long been a part of the lives of its users and is used for a variety of purposes: as the transfer of information, links and other things, so as to reach preliminary agreements and deals. The ability to change the contents of the correspondence without hacking the account gives attackers a tool to put pressure on the user and falsify data.


Explore video

After the discovery of the vulnerability, experts reported it to Facebook and the hole was promptly closed.