Advisory

Facebook Messenger (iOS) Certificate Validation Vulnerability

Dell SecureWorks Security Advisory SWRX-2016-001

Advisory Information

  • Title: Facebook Messenger (iOS) Certificate Validation Vulnerability
  • Advisory ID: SWRX-2016-001
  • Date published: Tuesday, March 22, 2016
  • CVE: Not assigned
  • CVSS v2 base score: 5.8
  • Date of last update: Tuesday, March 22, 2016
  • Vendors contacted: Facebook, Inc.
  • Release mode: Coordinated
  • Discovered by: Sean Wright, Dell SecureWorks

Summary

The Facebook social networking service includes a mobile application called Messenger that allows users to send private messages to their Facebook contacts. Although the application uses HTTPS to communicate with the backend servers, insufficient validation of the certificates returned by these servers leaves the application open to man-in-the-middle (MITM) attacks.

Download the PDF: SWRX-2016-001

PGP Signature


ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.