Skip to Main ContentSkip to Footer
Advisory

Facebook Messenger (iOS) Certificate Validation Vulnerability

Dell SecureWorks Security Advisory SWRX-2016-001

March 22, 2016

Advisory Information

  • Title: Facebook Messenger (iOS) Certificate Validation Vulnerability
  • Advisory ID: SWRX-2016-001
  • Date published: Tuesday, March 22, 2016
  • CVE: Not assigned
  • CVSS v2 base score: 5.8
  • Date of last update: Tuesday, March 22, 2016
  • Vendors contacted: Facebook, Inc.
  • Release mode: Coordinated
  • Discovered by: Sean Wright, Dell SecureWorks

Summary

The Facebook social networking service includes a mobile application called Messenger that allows users to send private messages to their Facebook contacts. Although the application uses HTTPS to communicate with the backend servers, insufficient validation of the certificates returned by these servers leaves the application open to man-in-the-middle (MITM) attacks.

Download the PDF: SWRX-2016-001

PGP Signature

ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM
Secureworks Counter Threat Unit™ (CTU) researchers frequently serve as expert resources for the media, publish technical analyses for the security community, and speak about emerging threats at security conferences. Leveraging Secureworks’ advanced security technologies and a network of industry contacts, the CTU™ research team tracks threat actors and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables CTU researchers to identify threats as they emerge and develop countermeasures that protect customers before damage can occur.
Back to more Threat Analyses and Advisories