In a blog post, Imperva security researcher Ron Masas explains how a CSFL attack could exploit the properties of iFrame elements to determine the state of an application. Running this process through individual Messenger contacts would yield one of two states, full or empty, indicating whether a user had ever communicated with that contact or not. That’s essentially the extent of the flaw. It wasn’t able to retrieve conversations or pull data from chat histories — it simply produced binary data with very limited applications for nefarious individuals.

Nonetheless, Masas made Facebook aware of the bug, and given its connection to the previous, more serious flaw, Facebook has since decided to remove all iFrames from the Messenger userface completely. “Browser-based side-channel attacks are still an overlooked subject,” Mases writes on the Imperva blog. “While big players like Facebook and Google are catching up, most of the industry is still unaware.”