Facebook has patched a vulnerability in the desktop and mobile versions of its Messenger app that allows an attacker to access and modify chats, exposing the victim to potential fraud and malware.

Researchers at Check Point Software Technologies privately disclosed the issue May 2 to Facebook, which patched it two weeks later. The flaw, Check Point said, allows an attacker to, among other things, access chat history and add or change links to a chat session. If the victim is persuaded to click on what is now a malicious link, they could start a malware download or establish a connection to an attacker’s command and control server.

Check Point said the victim would be unaware of the changes, and that chat threads could be deleted or modified, and also links and files could be replaced or added; researcher Roman Zaikin is credited with the discovery.

Oded Vanunu, head of products vulnerability research at Check Point, told Threatpost that if an attacker can retrieve an identifier known as the message_id parameter from the Messenger app, they would be able to manipulate messages without a notification sent to the user’s desktop or mobile device. A sample attack is describe in the Check Point report.

“The bug is in the business logic of the Facebook Messenger app,” Vanunu said. The message_id parameter is sequential and Vanunu said it is trivial to manipulate that parameter and modify chat content.

“One of the attack scenarios happens where an attacker could send a legitimate URL and send additional information making it attractive to you to click,” Vanunu said. “At first, you will see legitimate content and nothing will be wrong. But after some time, the attacker would have replaced the URL to point at the infection, and since the user has already trusted the URL, they could be persuaded to click it again.”

An attacker could also abuse this vulnerability to automate a connection between a victim’s computer and a command and control server. An attacker could use this to move ransomware for example, Vanunu said.

“The main challenge with ransomware for criminals is to make sure infection points would be live for long periods,” he said, referring to command and control servers storing the private keys that encrypt data on victims’ machines. Vanunu said servers are on average alive for 24 to 48 hours before signatures in security products close off connections.

“With this method, a criminal can do some automation and send malicious activity to thousands of people so that every time there is a new infection point, it gets changed in the background,” Vanunu said. “This way they can change the links without anyone noticing; it’s an excellent method for sending private keys.”

Facebook has made the change to its business logic and this vulnerability has been closed off.

“Facebook was very responsive and took this seriously,” Vanunu said. “It’s important to understand that this infrastructure is serving hundreds of millions of users. Bringing a code change could be harmful. Facebook managed to close this vulnerability in two weeks.”