A cyber security expert has discovered a major flaw that allows criminals to extract Facebook Messenger audio recordings which allows eavesdropping.
Facebook Messenger Audio Eavesdropping Possible via Flaw
The security expert Mohamed Baset has discovered a vulnerability in the Facebook Messenger app which allows clip recordings from the audio chats to be downloaded. This is possible by conducting a man-in-the-middle attack which is able to harvest the files. Using this strategy remote attackers can listen to the voice messages of the individual users.
Security experts have conducted a sample attack to analyze how the flaw can be used:
Every time the users record an audio clip it it sent first to the remote Facebook content distribution network (CDN) hosted and used by the social network.
Once it is available there it is served over an HTTPS connection to both the sender and the recipient.
When either party receives notification that there is an audio clip ready it is downloaded by the relevant app or web browser.
This makes it very easy to launch a man-in-the-middle attack to extract the network traffic by using a SSL strip. Attackers can extract the absolute links which include the secret authentication token which is embedded in the URL. This enables them to download the captured audio clips. If they use a network analyzer they can potentially eavesdrop in real time.
The attacker can modify the links from HTTPS to HTTP to download files without the needed authentication. This is possible because the Facebook CDN servers do not force the HTTP Strict Transport Security (HSTS) policy. Another identified issue is the lack of proper authentication. According to the researcher the social network should make it impossible for third parties to access the audio clips even if they have access to the absolute URLs that link to them. A proof-of-concept attack was demonstrated by sending an audio clip over the Facebook Messenger.
The Facebook staff has responded to Baset’s report by issuing the following statement:
We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program.
In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify.
