Facebook Privacy Flaw : Chat Visible to Prying Eyes!

So, your Facebook account is protected by a username and password…that should be enough to keep you secure right? Possibly not, as Facebook seems to be sending a lot of its behind the scenes transactions in plain text. Should we be worried? Maybe.

Simple Summary

If you are using facebook chat on a public network or a virus is listening to the information sent from your browser to the internet, it can be read, intercepted and manipulated.

Technical Introduction

As a brief technical introduction, Facebook uses SSL in order to secure your login. This means that your password is never, ever, sent over the internet in any way that a human can understand. However, Facebook seems to have left a gaping hole in its privacy when it comes to Facebook Chat, by not encrypting information as it sends your conversations to and from Facebook servers. What does this mean for you? Well essentially anybody with the right hardware and software combination can view your Facebook Chat, without knowing your username or password at all.

I would like to note at this point, that I discovered this by accident, using legal software, called Fiddler, which I use as part of testing for my work projects. I was actually having a quick break from testing, and checking my chat, when I accidently left the software running. When I alt-tabbed back into my testing, I was surprised to see everything I had done in Facebook was documented, line by line, by software which had no idea what my username and password was…

Fiddler is free software, used by software testers and security testers worldwide.

A technology called AJAX is used on Facebook to send and receive data in the background, so that you don’t have to refresh the page repeatedly. A computer with Facebook open seems to communicate back to Facebook servers once every 10 seconds, using AJAX, yet Facebook does not seem to secure its AJAX calls, and therefore entire conversations can be read, in a format which is easy for anybody to read. This format contains:

  • Your full name, and the full name of the person you are talking to.
  • Your individual facebook ID, able to identify a user uniquely in the world.
  • The timestamp of the message
  • The message itself.  (In plain human readable text)

Spying Scenarios

Still, you might be thinking, it hardly matters, as you have to be running the tool in order for this to happen. Except that’s not always the case.

Image the following scenarios where this could be an issue:

  • The recorder is on your PC without your knowledge, i.e. installed as a virus or by another user.
  • The recorder is installed by system admins who want to track what you are upto (schools, universities, work).
  • Somebody on another PC, using intercept hardware like a promiscuous wireless card, has the software and can act as a man-in-the-middle between your pc and the internet, easily done on wireless networks.

What’s more, if the software is acting as a scripting agent, there is nothing to stop a savvy programmer from not only reading the messages in real time, but also modifying them before they reach their destination…(sounds like a great excuse for nasty emails to an ex….) You could argue that people with this knowledge and intent can already see wall posts etc in real time, which is true, and always has been. However, Facebook chat seems to infer a degree of privacy, a privacy which is not protected by standard encryption or modification control.

I am surprised Facebook don’t offer an encrypted version of its chat, and maybe it plans to in future…

Also, I might note that Facebook is in no way the right place to share confidential information anyway. There are too many gaps in security when people could see what you are doing. As for public open WiFi…you are asking for trouble!

1. The author discovered this using completely legal methods, and has no interest in viewing your Facebook chats. He does however, believe in strong internet security, and thinks you should understand the dangers of using sites like Facebook on a network you don’t have
100% control over.
2. Fiddler cannot be used in its default setup to perform this sort of hack on any PC other than the PC it is running on. That is not to say it could not be modified to do this, especially with its free API.
3. I don’t mean to worry anybody with this article, I will continue to use chat on my personal computer, but it is worth knowing for people who use Facebook at school, uni, work, or sat inside Starbucks: Big Brother could be watching you!

Twitter: @adam_d_king

About the Author

Adam King

Computer Programmer / Generic Geek / Networking Specialist