If you too have a habit of sending audio clip, instead of typing long messages, to your friends over Facebook Messenger, you are susceptible to a simple man-in-the-middle (MITM) attack that could leak your private audio clips to the attackers.
What's more worrisome is that the issue is still not patched by the social media giant.
Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Facebook Messenger's audio clip recording feature that could allegedly allow any man-in-the-middle attacker to grab your audio clip files from Facebook's server and listen to your personal voice messages.
Let's understand how this new attack works.
Here's How Attackers can Listen to your Personal Audio Clips:
Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.
Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
You might be wondering that how hackers are able to download your audio files so easily.
What went Wrong?
This is because Facebook CDN server does not impose HTTP Strict Transport Security (HSTS) policy that forces browsers or user agents to communicate with servers only through HTTPS connections, and helps websites to protect against protocol downgrade attacks.
Secondly, the lack of proper authentication — If a file has been shared between two Facebook users it should not be accessible by anyone except them, even if someone has the absolute URL to their file, which also includes a secret token to access that file.
As an example, Mohamed sent an audio clip to one of his friends over Facebook Messenger and here's the absolute link to the audio file extracted using MITM attack, which anyone can download from Facebook's server, even you, without any authentication.
"GET requests are something that the browsers can remember it in its cache also in its history, Better to have this files played via POST requests with an anti-CSRF token implemented," Mohamed told The Hacker News.
Still Unpatched; No Bug Bounty!Mohamed reported the issue to Facebook, and the company acknowledged it, but haven't patched it yet. Facebook did not offer any bug bounty to the researcher, as the downgrade attacks do not come under its bug bounty program.
"We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program."
"In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify."You can watch the above proof-of-concept video demonstration, which shows this attack in action.
We have contacted Facebook security team for the comment and will update the story as soon as we hear from the company.