Facebook flaw allows any message to be changed

By on
Facebook flaw allows any message to be changed
Mark Zuckerberg

Security vendor Check Point has released details of a vulnerability found in Facebook Messenger in the last week of May.

The vulnerability allowed for any sent message, photo, file and link to be modified after sending.

"By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realising, what’s worse. The hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations," Check Point head of products vulnerability research Oded Vanunu said.

The flaw - which has since been fixed - allowed hackers to insert infected links or files to existing messages, starting a ransomware campaign.

These campaigns lasted only several days because the infected links and the command and control addresses became known and blocked by security vendors, forcing the attacker to shut down his activity.

The vulnerability found in Facebook's Messenger allowed the attacker to implement automation techniques to continually outsmart security measures when the command & control servers were replaced, according to Check Point.

Mark Zuckerberg hacked

On Monday it was reported that Facebook chief executive Mark Zuckerberg had both his Twitter and Pintrest accounts hacked according to a report on VentureBeat.

Reuters reported a Facebook spokesman as saying the accounts have since been "re-secured using best practices," and "no Facebook systems or accounts were accessed".

Zuckerberg have allegedly used the same password 'dadada' for both accounts that facilitated the hack.

"He used a dumb password – because passwords are hard to remember, and we have too many of them. He re-used that password across sites – because we use dozens of apps, sites, and services every day, and can’t be expected to do something better. That password was either cracked in milliseconds, or stolen," Centrify security strategist Chris Webber said.

"If he’d had MFA (multi factor authentication) on these accounts, the security test would have been much harder. The testers would have his password, but not his second factor, and would likely have been satisfied with that level of security."

Last month more than 100 million LinkledIn customer credentials were reported as being on sale on the dark web. The credentials are linked to a 2012 breach.

Microsoft announced last week that it is banning easy passwords in order to protect users and passwords in the Microsoft Account System and private preview Azure AD.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?