How can attackers listen to your Facebook voice message?

Whenever a person records an audio clip and sends it to some other person, the clip is uploaded to Facebook’s CDN. From there, the file is served to sender and receiver. This transfer takes place over HTTPS.

Consider a scenario where an attacker having an access to your network runs MITM attack with SSL Strip. He/she can extract the absolute links — along with secret authentication token embedded in the URL — of all files being exchanged. This allows the hackers to grab those files easily.

Surprisingly, Facebook hasn’t patched this bug yet. While the company has acknowledged the bug, it didn’t offer any bug bounty. “The fact that we have not rolled it (HSTS) out on particular subdomains does not constitute a valid report under our program,” the company said.