Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti

Hackers can listen to Facebook voice messages


The voice recording feature provided by WhatsApp and Facebook Messenger greatly facilitates the users who do not want to make special efforts to send longer messages.
 
However, if you are from those users who already have the habit of sending audio clip rather than to write text messages to your friends, you really are vulnerable to simple man-in-the-middle (MITM) attack through which hackers can gain access to your personal audio clips.
 
More worrying is that this serious problem has yet a patch released from the popular social network.
 
The Egyptian cybersecurity expert Mohamed A. Baset published information about vulnerabilities in tin Facebook Messenger's audio clip recording feature, which can allow any hacker to access your audio files on the Facebook`s server and to hear them through a man-in-the-middle attack.
 
Every time you record an audio clip (video message) to send it to a friend, the clip gets uploaded onto the Facebook's CDN server (i.e., https://z-1-cdn.fbsbx.com/...), from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.
 
Every hacker gained access to your network by MITM attack with SSLStrip, can actually extract absolute links (including secret authentication token embedded in the URL) to any audio files exchanged between sender and receiver during this process.
 
Then the hacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
 
Surely now you are wondering how it is possible hackers are able to download your audio files so easy.
 
First, this hack is so easy because Facebook CDN server does not impose HTTP Strict Transport Security (HSTS) policy that forces browsers or user agents to communicate with servers only through HTTPS connections, and helps websites to protect against protocol downgrade attacks.
 
Second is the lack of proper authentication. If a file has been shared between two Facebook users, should it not be accessible to anyone but them, even if someone has the absolute URL to that file, which also includes the secret token for accessing the file.
 
The cybersecurity specialist has reported the problem to Facebook and although the company is aware of the situation, has not released yet a patch to fix it. Moreover - until now Facebook does not include this vulnerability in the bug bounty program, so obviously based on company policies the downgrade attacks does not need to be part of such program.
 
The Facebook security team has responded to Mohamed Baset: "We are in the process of rolling out HSTS across various facebook.com subdomains. The fact that we have not rolled it out on particular subdomains does not constitute a valid report under our program.
 
In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify."





18/01/17    Çap et