A vulnerability in Facebook's Messenger application allowed attackers to adopt a man-in-the-middle position to manipulate the conversation thread in secret, security firm Check Point has revealed.
The firm today disclosed details of the flaw after it reported the hole to Facebook earlier this month. Facebook has patched the vulnerability.
Check Point said the flaw allowed attackers to control the chat contents and delete, edit and replace texts, links and files as they desired, leaving victims open to impersonation and identity theft.
The vulnerability existed in the way Facebook assigns identities to messages in the chat application. Each message has its own "message_id" identifier parameter, Check Point said, and attackers can reveal a message_id by sending a request to www.facebook.com/ajax/mercury/thread_info.php.
Once the ID has been accessed, the attacker can alter the content of the message and send it to Facebook's servers without the chatting parties knowing the interception has occurred.
They could also use the flaw to send ransomware to those in the chat through an initially legitimate message which is later altered to contain a malware link or file - such as through changing a "Hi" message to "RANSOMWARE COMMAND AND CONTROL ROULETTE", the firm said.
"Next, the hacker can manipulate the same attack vector to overcome one of the biggest challenges standing in the face of ransomware today: maintaining an active command & control server," te researchers wrote.
"Usually, ransomware campaigns last only several days because the infected links and the C&C addresses become known, and blocked by security vendors, forcing the attacker to shut down his activity and begin again from scratch.
"However, with this vulnerability, the hacker could implement automation techniques to continually outsmart security measures when the command & control servers are replaced."
Check Point warned the flaw could have had severe repercussions given Facebook Messenger content is admissible in court.
"Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions," the firm wrote.
"These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person."
It commended Facebook for acting to patch quickly.
Check Point said it had not been able to ascertain whether the flaw had been exploited in the wild.