Both FB Messenger and Facebook-owned WhatsApp allow users to send voice messages using the Mic icon in the chat bar. While many don’t use the Facebook Messenger voice message feature, it is still very popular. But next time you send a voice message to your near and dear ones or a business colleague, do remember that your voice chat can be snooped on by potential hackers thanks to a Man-in-the-Middle (MiTM) vulnerability.
The Hacker News reports that an Egyptian security researcher Mohamed A. Baset has found a vulnerability in Facebook Messenger’s audio clip recording feature that allows any wannabe hacker to listen in to the message. The FB Messenger flaw allows any hacker to conduct a MiTM attack and grab your audio clip files from Facebook’s server.
How does a Hacker listen to your Facebook voice message?
The Facebook Messenger voice chat flaw is so simple that a hacker with minimum technical skill can exploit it. Whenever a person records an audio clip and sends it to some other person, the clip is uploaded to Facebook’s CDN server for example https://z-1-cdn.fbsbx.com/…, from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.
Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.
Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
Baset explains that the issue lies in the way the chat is exchanged over HTTPS to HTTP servers. Facebook is yet to implement a highly secure transport protocol called HSTS. HSTS (HTTP Strict Transport Security) forces browsers to access a website only over an HTTPS connection while disallowing communication between a secured and unsecured web server. In this case, Facebook is yet to roll out HSTS policy for its chat servers. The issue is worsened due to the fact that Facebook also lacks proper authentication allowing any hacker to launch a MiTM attack and snoop on the voice chat.
Here’s a proof-of-concept video of the Facebook voice messages CDN hack:
Facebook Has Still Not Patched This Bug
Though the FB voice chat vulnerability looks critical, Facebook is yet to patch it. Baset has informed Facebook security engineers about the vulnerability long back. While Facebook engineers have acknowledged the bug, it didn’t offer any bug bounty to Baset neither has it patched the bug. “The fact that we have not rolled it (HSTS) out on particular subdomains does not constitute a valid report under our program,” the company said.
“In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify,” It added.
We have contacted Facebook security team for the comments on this vulnerbility and will update the artice accordingly.