Facebook Messenger bug allowed researchers to change conversation history

Security researchers discovered a bug in Facebook Messenger that would allow an attacker to modify or remove text, pictures, links, and other data from chats in the Messenger Android app and in desktop Facebook chat — opening up some of Messenger’s 900 million users to potential fraud.

The bug could be used to alter conversations and spread malware, according to researchers at the security company Check Point who discovered the bug. A user could alter the content of her chats in the Android app and on desktop, making it appear as if parties in the conversation had said things they didn’t actually say. The ability to modify links in Messenger also made users vulnerable to malware distribution — an attacker could swap out a normal link for a malicious one and convince the recipient to click on it.

Facebook works to prevent malware from spreading in Messenger by blocking users from sending links to known malware and phishing sites. The company also shares threat intelligence with other security researchers on Threat Exchange, its social media platform for developers. But new malware could still slip through.

Only parties in the conversation could exploit the bug — so if you trust your Facebook friends, you probably were not at risk. Since the bug only impacted the Messenger app and in-browser chat on Facebook.com, the authentic conversations would be logged on other versions of Messenger, such as Messenger.com. If someone’s chats were manipulated using the bug, he or she would still be able to access the original text in another version of Messenger.

“By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing,” Oded Vanunu, head of products vulnerability research at Check Point, said in a statement. “What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations. We applaud Facebook for such a rapid response and putting security first for their users.”

Facebook’s security team patched the Messenger bug in May after they were alerted to the problem by Check Point. Since the early days of Facebook, the company has run a bug bounty program to encourage security researchers and whitehat hackers to report problems to the company. A Facebook spokesperson told TechCrunch that the program has “proven incredibly valuable.”

Facebook explained the bug in a blog post, noting that the changes to a conversation were not permanent. “We also confirmed that the content self-corrected on Android when the application refetched message data from the server, so it wasn’t permanently changed,” Facebook said.

This post was updated 6/7 at 1:00 p.m. with additional details about Facebook’s blog post and a demo video of the bug.