A vulnerability affecting the Web version of Facebook Messenger may have exposed who you've been chatting with on that platform.
Imperva Security Researcher Ron Masas discovered the flaw and privately reported it to Facebook. The social network has already rolled out a fix.
"I started poking around the Messenger web application and noticed that iFrame elements were dominating the user interface," Masas wrote in a Thursday blog post. "I decided to record the iFrame count data over time for as many endpoints I could find, with the goal of uncovering interesting and detectable states."
He did notice an interesting pattern:
More From PCmag
"When the current user has not been in contact with a specific user, the iFrame count would reach three and then always drop suddenly for a few milliseconds," Masas explained. "This could let [an attacker] remotely check if the current user has chatted with a specific person or business, which would violate those users' privacy."
An attacker could have exploited the bug by simply tricking a Messenger user into visiting a malicious site, then getting them to click anywhere on the page, like pressing play on a cute cat video.
To correct the bug, Facebook has removed all iFrames from the Messenger user interface, Masas wrote.
Revelations about the bug come after Facebook CEO Mark Zuckerberg earlier this week outlined a new plan to build a "privacy-focused" messaging and social networking platform. The idea might seem laughable to those who have been following the company's many recent privacy scandals, but Zuckerberg said he's ready to prove doubters wrong.
"I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform—because frankly we don't currently have a strong reputation for building privacy protective services, and we've historically focused on tools for more open sharing," he wrote. "But we've repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories."
This article originally appeared on PCMag.com.