Facebook Security Loophole Could Have Allowed Hackers To Edit Messages

Not so private after all.

Facebook messenger has been forced to close a dangerous loophole after it was revealed hackers could modify private messages.

The vulnerability was first detected by researchers at Check Point Software Technologies and they have now made their findings public in a blog post.


Check Point explains how malicious users with only a basic knowledge of HTML could alter Facebook messages, photos, files or links after they were sent.

This might seem an insignificant revelation but it actually has dangerous implications for the 900 million users of the social network as the entire course of a thread could be changed without sending a new push notification to the recipient.

By locating the “unique” message id, hackers would have been able to use Facebook as a vehicle to distribute malware, easily persuading the user to open a file as a conversation is already established.

Not only that but because the original message had already been sent and hackers were only editing these messages, Facebook was not required to scan the message and the receiving party could be blissfully unaware.

Head of Products Vulnerability Research at Check Point, Oded Vanunu, said: “By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing.”

“What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations.”

This technical hitch affected both desktop and mobile versions of the site but has since been rectified by Facebook after Check Point notified them of the issue.

The news comes in the same week that CEO Mark Zuckerberg fell foul of web hackers when his Pinterest and Twitter accounts were hacked.

According to the hackers, Mark’s password was “dadada” – a textbook bad password by all Facebook requirements.

8 Facebook Privacy Flaps

Before You Go