A security researcher has uncovered a loophole in Facebook’s security that allows a hacker to listen to you private Facebook voice messages sent over chat.
This is possible due to the lack of proper authentication and HSTS policy on Facebook’s CDN servers. While Facebook has acknowledged the bug, it’s yet to patch it. The company has also said that it’s working to roll out HSTS to its subdomains.
Personally, I don’t use Facebook Messenger’s voice messaging feature very often. But, there are millions of people out there who use this feature every day. It lets one communicate easily by ditching the typing effort. But, in its current state, Facebook’s voice messaging service is vulnerable.
The audio clips that you share over the blue messaging app are prone to a simple man-in-the-middle (MITM) attack. This hack was uncovered by the Egyptian security researcher Mohamed A. Baset, The Hacker News reports.
How can attackers listen to your Facebook voice message?
Whenever a person records an audio clip and sends it to some other person, the clip is uploaded to Facebook’s CDN. From there, the file is served to sender and receiver. This transfer takes place over HTTPS.
Consider a scenario where an attacker having an access to your network runs MITM attack with SSL Strip. He/she can extract the absolute links — along with secret authentication token embedded in the URL — of all files being exchanged. This allows the hackers to grab those files easily.
HSTS (HTTP Strict Transport Security) is a recent technology that improves the security on the internet by forcing your browsers to access a website only over an HTTPS connection. Facebook’s CDN doesn’t implement HSTS policy.
Added to that, Facebook also lacks proper authentication. It results in downloading of a file by a person with the help of an absolute URL.
The bug is still unpatched
Surprisingly, Facebook hasn’t patched this bug yet. While the company has acknowledged the bug, it didn’t offer any bug bounty. “The fact that we have not rolled it (HSTS) out on particular subdomains does not constitute a valid report under our program,” the company said.