All Those Facebook Messenger Chats Might Not Have Been Private

Researchers found a vulnerability in Facebook Messenger that could allow someone to read all text, pictures and attachments.

The flaw affects chats sent through the web and mobile applications for all 1 billion of Facebook Messenger’s active users. Facebook use chat servers on a different domain from the main site, and a misconfiguration left chats vulnerable to a cross-origin bypass attack, The Hacker News reported.

The misconfiguration—called Originull—could allow an attacker to direct a victim to a malicious site and from that point on, the attacker could access all communication through Messenger.

“This was an extremely serious issue, not only due to the high number of affected users, but also because even if the victim sent their messages using another computer or mobile, they were still completely vulnerable,” said BugSec Chief Technology Officer Stas Volfus in a press release.

BugSec and Cynet researcher Ysrael Gurt disclosed Originull to Facebook’s bug bounty program and the company fixed it.