‘Originull’ Bug Can Allow Anybody To Read All Your Facebook Messenger Chats

Your Facebook Messenger chats can be read by anyone including potential hackers thanks to a critical vulnerability. A security researcher from BugSec and Cynet, Ysrael Gurt has discovered a critical bug in the Facebook Messenger which allows a potential hacker to read all your private conversation. To understand the enormity of this bug, you should know that Facebook Messenger is used by a billion+ users from the world over including businesses.

Gurt reported that a cross-origin bypass-attack against Facebook Messenger can allow any tech savvy person to access your private messages, photos as well as attachments sent on the Facebook chat. Gurt has dubbed the hack as “Originull”  and says that the bug potentially affects millions of website that use origin null restriction checks and exposes the visitors to malware payload.

Gurt says that the Originull bug is so severe that all a hacker has to do is to trick the potential victim into visiting a malicious website. Once the victim clicks on the malware link, all private conversations by the victim, whether from a Facebook’s mobile app or a Facebook desktop version, will be accessible to the attacker. This is because the flaw affects both Facebook Messenger App for smartphones and desktop versions.

The”Originull” vulnerability lies in the fact that Facebook chats are managed from a server located at {number}-edge-chat.facebook.com, which is separate from Facebook’s actual domain (www.facebook.com).  Gurt says that since the flaw exploits misconfigured cross-origin header implementation on Facebook’s chat server domain which is separate from Facebook server, hackers can bypass origin checks and access Facebook messages from an external website.



Those who have enabled Secret Conversations the Facebook Messenger’s end-to-end encrypted chat feature are not affected by Originull bug.

“Communication between the JavaScript and the server is done by XML HTTP Request (XHR). In order to access the data that arrives from 5-edge-chat.facebook.com in JavaScript, Facebook must add the “Access-Control-Allow-Origin” header with the caller’s origin, and the “Access-Control-Allow-Credentials” header with “true” value, so that the data is accessible even when the cookies are sent,” Gurt explained.

hack-facebook-messenger

Gurt has also released a proof-of-concept video demonstration of the Originull vulnerability, which shows the cross-origin bypass-attack in action.

Full details of how the Originull attack works can be accessed here. Gurt said that he had reported the flaw to Facebook who acknowledged the severity of the bug and paid him bug bounty. The Facebook engineers have since patched this loophole.