A security researcher has discovered a serious vulnerability in Facebook Messenger, affecting the security of the approximately 1 billion people who use this application, as it can allow an attacker to read the entire passage Assembly your privacy dialog.
Ysrael Gurt, a security researcher at BugSec and Cynet, said about one attack to avoid traceability crossover (cross-origin bypass) targeting Facebook Messenger will allow the attacker to access all the news your personal message, as well as the image attachments sent via this chat application.

To exploit this vulnerability, all attackers need only a fool victims into visiting a malicious website. According to the example in the video below, a malicious code disguised as an advertising image in a news site controlled by the attacker. Even when victims visit just information without clicking on the ad, this vulnerability has been exploited.
When clicking on it, all the private conversations of victims, whether from Facebook’s mobile application or web browser, will be read by attackers. This stems from a flaw affects both web chat and mobile applications.
Was named “Originull”, this vulnerability is based on the fact that Facebook’s chat is managed by a server located at the address “{number}”, to split off real domain of Facebook (


“Communication between JavaScript and server is done by XML HTTP Request (XHR). To access data from in JavaScript, Facebook had added a line of “Access-Control-Allow-Origin” with the source of the sender, and the “Access-Control-Allow -Credentials “with the value” true “to the data can be accessed, even if the cookies have been sent.” Gurt explained.
The origin of this problem is due to configuration errors when implementing cross-origin labeling on domain name servers of Facebook chat. This allows an attacker to pass the checks origin and access to Facebook messages from an external website.
Gurt also offer a video demonstration of the vulnerability exploited Originull, to show the level of danger of attack methods to avoid this cross traceability.
However, with hosted The Secret Conversations, chat encryption features two end-to-end top of Facebook Messenger is not affected by this bug, as it can only be used in mobile applications.
“This security flaw shows a message of about 1 billion monthly active users of Messenger vulnerability by the attackers.” Stas Volfus, chief technology officer of BugSec said.
“This is a very serious problem, not only because of the number of users affected, but also because even if the victim using a computer or other mobile to send their messages, they still finished full hurt. ”
Researchers have reported critical vulnerability for Facebook through their programs Bount Bug. Facebook’s security team has known issues and release patches for vulnerable sections.