A simple HTML tweak can be used to exploit Facebook online chat as well as its Messenger app. The exploit works on the way Facebook assigns identities to chat messages. Each chat message has a unique “message_id” identifier that could be revealed by sending a request toOnce message_id is identified, an attacker could alter its respective message content and send it back to Facebook servers which accept the new content as legitimate and push it to the victim’s PC or mobile device. Facebook claims the vulnerability could not be exploited to infect its users’ PCs with malicious software, as the company is using anti-spam and anti-virus filters.
Source: https://thehackernews.com/2016/06/delete-facebook.html