As discovered by researchers at Imperva, they are reporting on a vulnerability/bug in the web version of Facebook Messenger that lets websites expose who you might have been chatting with. This is through the use of a Cross-Site Frame Leakage attack that exploits the iframe elements on the web version of Messenger.
The explanation provided is rather technical, but basically it exposed a flaw that could have in theory allowed another website to spy on your chats. The good news is that it seems that this issue has been fixed. “Having reported the vulnerability to Facebook under their responsible disclosure program, Facebook mitigated the issue by randomly creating iframe elements, which initially broke my proof of concept. However, after some work, I managed to adapt my algorithm and distinguish between the two states. I shared my finding with Facebook, who decided to completely remove all iframes from the Messenger user interface.”
It is unclear if anyone could have been affected by this or if the flaw might have been exploited before it was patched, but so far we haven’t heard anything on that front.