A vulnerability already seen in Facebook was similarly found in the company's Messenger, said a security research group Imperva. About a year ago, researchers at Imperva discovered that a hacker could use "any website to expose who you were messaging" through Messenger. The bug was reported to Facebook in May, then fixed.
Hackers are able to target a Facebook user's web browser and exploit iframe elements to be able to see which friends the user chatted with and which ones weren't in the user's contact list. Imperva said the hackers were unable to obtain any other data related to the attack.
Through the vulnerability in Facebook, Messenger users ended up being vulnerable if they visited a malicious website with Chrome and then clicked on the website while still logged into Facebook. With this, hackers could run any query in a new tab of the social network and extract personal data.
"Browser-based side-channel attacks are still a neglected topic," writes Imperial Israel researcher Ron Masas in the report. "While big players like Facebook and Google are catching up, most of the industry is still not aware." Masas noted that while the technique was not yet commonplace, it could "increase its popularity throughout 2019" as it normally leaves no trace.
It is worth mentioning that in recent times Facebook has been heavily criticized for violations of privacy and incorrect handling of user data.
Source: The Verge