‘Originull’ Bug Allows Hackers To Read All Your Facebook Messenger Chats

IT | Dec 9, 2016 | Master3395

Security firm Cynet has discovered a critical issue that affects the privacy of 1-billion Facebook Messenger users. Dubbed Originull, this flaw is also expected to affect millions of other websites using origin null restriction checks. Facebook has fixed this issue after it was reported by the firm.

Facebook, with the help of its Messenger and WhatsApp instant messaging application, has managed to replace the conventional text messages. Now, more than 1 billion active monthly users trust Facebook Messenger with their conversations. In the recent times, the social network has worked hard to add new features and develop it as a platform. 

Earlier this week, Cynet reported a critical vulnerability that was spotted on Facebook. This hack, dubbed “Originull,” potentially affects millions of website that use origin null restriction checks and exposes the website visitors to malicious elements.

The vulnerability being talked about is a cross-origin bypass attack that lets an attacker use some external website and read a Facebook user’s private messages. This flaw affects Facebook’s mobile app as well as the website.

Usually, your browser protects you from such hacks by only allowing Facebook pages to fetch the information. However, due to this bug, Facebook opens a bridge that allows the subsites of the social network to access the information.

A security researcher of Cynet, Ysrael Gurt, discovered a flaw in the way Facebook manages the identity of these subsites. To exploit the flaw, a hacker needs to fool a Messenger user into visiting a malicious website.

The two-line technical summary of the hack states:

This meant that if we could cause the browser to send “null” in the “origin” header, we would get a “null” value in the “Access-Control-Allow-Origin.

Fossbytes readers, who are interested in reading the complete technical details of the hack, can download the complete ‘Originull’ privacy hack report here. Cynet has reported the issue to Facebook and they have patched this loophole.

Gurl has also created a proof-of-concept video to demonstrate the Originull privacy hack:

Keywords: Facebook, Hack, Messages

Author: Master3395


comments powered by Disqus

Page 1 of 376  >  >>

Working hard to preserve all public posts on Google+


Mar 20, 2019 | Category: Google | Comments

Now it will not be long.

read more…

New Window Defender Extension Launches - Insecure Websites Open in Edge


Mar 19, 2019 | Category: General | Comments

Works in Chrome and Firefox.

read more…

Now the extensions have appeared - public testing is approaching


Mar 18, 2019 | Category: General | Comments

Found 82 extensions for new Edge.

As we interpret recently Microsoft's activity, we are not the long wait from a public testing period of their new Chromium-based browser. Last week we got a sneak peek at new Edge in some photos you can see here, and it was explained that the first tests only had support in 64-bit Windows 10.

read more…

Page 1 of 376  >  >>