Most people hate typing long messages while chatting on messaging apps, but thanks to voice recording feature provided by WhatsApp and Facebook Messenger, which makes it much easier for users to send longer messages that generally includes a lot of typing effort.
If you too have a habit of sending audio clip, instead of typing long messages, to your friends over Facebook Messenger, you are susceptible to a simple man-in-the-middle (MITM) attack that could leak your private audio clips to the attackers.
What’s more worrisome is that the issue is still not patched by the social media giant.
Let’s understand how this new attack works.
Here’s How Attackers can Listen to your Personal Audio Clips:
Whenever you record an audio clip (video message) to send it to your friend, the clip gets uploaded onto the Facebook’s CDN server (i.e., https://z-1-cdn.fbsbx.com/…), from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.
Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.
Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
What went Wrong?
This is because Facebook CDN server does not impose HTTP Strict Transport Security (HSTS) policy that forces browsers or user agents to communicate with servers only through HTTPS connections, and helps websites to protect against protocol downgrade attacks.
Secondly, the lack of proper authentication — If a file has been shared between two Facebook users it should not be accessible by anyone except them, even if someone has the absolute URL to their file, which also includes a secret token to access that file.
As an example, Mohamed sent an audio clip to one of his friends over Facebook Messenger and here’s the absolute link to the audio file extracted using MITM attack, which anyone can download from Facebook’s server, even you, without any authentication.
“GET requests are something that the browsers can remember it in its cache also in its history, Better to have this files played via POST requests with an anti-CSRF token implemented,” Mohamed told The Hacker News.
Still Unpatched; No Bug Bounty!
Mohamed reported the issue to Facebook, and the company acknowledged it, but haven’t patched it yet. Facebook did not offer any bug bounty to the researcher, as the downgrade attacks do not come under its bug bounty program.
Here’s what the Facebook security team told Mohamed:
“We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program.”
“In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify.”
You can watch the above proof-of-concept video demonstration, which shows this attack in action.
We have contacted Facebook security team for the comment and will update the story as soon as we hear from the company.