The ability to record voice messages is a very important feature in IM systems as it permits you to quickly converse with other people without the need to type out long batches of text and is something many platforms incorporate, including Facebook Messenger and WhatsApp.
Mohamed A. Baset, an Egyptian security specialist uncovered the vulnerability in the feature that allows for sound recording in Facebook Messenger. He found that the flaw can be leveraged by someone for a man-in-the-middle hack to hijack sound files and listen in to personal messages. Facebook hasn’t yet fixed the problem.
TheHackerNews provided a more technical readout of the hack. Thus, every time you record a sound file and send it to someone, the file gets uploaded to a CDN server belonging to Facebook.
They explain that whenever an audio file or video message is recorded and sent to someone, it is uploaded to a CDN server belonging to Facebook. From there, the file is served over HTTPS to the recipient as well as the sender.
A hacker sharing the same section of the network could initiate a man-in-the-middle attack using SSL Strip. He could extract any absolute links to every sound file the two people in question sent each other, along with the confidential authentication code buried in the URL.
The hacker can change the links to HTTP from HTTPS to obtain the files without having to provide any form of authentication, which can be done because the CND server from Facebook doesn’t enforce an HSTS or HTTP Strict Transport Security policy. This makes it possible to communicate via an HTTP connection.
Another issue is that there’s no effective authentication in place, explained Baset. He stated that if two Facebook users share a file, other people shouldn’t be able to access it, even if the other person has the exact URL to the file, which has a secret code embedded to allow that file to be accessed.
Baset offered up proof-of-concept for the hack by sending a friend an audio file via Facebook Messenger, under the exact link to the sound clip, which he extracted via a man-in-the-middle hack.
Using the link provided, anyone can download the file from Facebook, even if they are not the rightful recipient and have not been authenticated.
Baset explained to The Hacker News that browsers are able to remember GET requests in their history and cache, which is why it’s a better option to play these files through a POST request using an anti-CSRF token.
Unfortunately, Baset did not receive any reward for discovering the flaw because Facebook is not want to pay for something they consider a loophole.
Facebook told Baset that they were implementing HSTS policies throughout their subdomains and that since they hadn’t done it on all subdomains yet, they didn’t feel Baset’s report was valid according to their program. They further stated that reports stating they should be using HSTS and other in-depth defense models don’t generally qualify for their bug reporting program. Apparently, all decisions regarding protections and when they are rolled out are very deliberate, which is why they don’t consider suggestion like the on Baset made valid.
Facebook still hasn’t fixed the vulnerability in question and, who knows, maybe there is still a chance for the Egyptian security specialist to be rewarded