Facebook bug allowed websites to grab unsuspecting users’ personal data

Share

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users' profiles without them knowing about it.

The use of IFrame HTML document "allowed information to cross over domains - essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends", said Masas.

Masas said that he reported the vulnerability to Facebook and worked with the company's security team to ensure that the issue was thoroughly resolved. Get out while you still can. "This is especially unsafe for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker's site", he explained.

Imperva's security researcher Ron Masas, who was the first one to spot the issue claims that the vulnerability was associated with the Facebook's Search feature. He revealed that a malicious website opened in another tab could steal sensitive data from logged in Facebook account.

Fortunately, there are no cases of the bug being implemented and Facebook patched it before the details were made public.

More news: Sony's Black Friday Deals Include a $200 Spider-Man PS4 Bundle
More news: New Zealand to host 2021 women's Rugby World Cup
More news: Crude mood: Oil enters bear market, plunging most since 2015

But Facebook told TechCrunch that it hasn't seen any abuse of the vulnerability.

While the user is interacting with the malicious page, Masas' script would automate a series of Facebook searches via the Facebook Graph API, count the number of iframes the search results returned via the "fb.frames.length" property, and log the results. And it means the bug "exposed the user and their friends' interests, even if their privacy settings were set so that interests were only visible to the user's friends", notes Masas. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties.

From there, an attacker could basically infer a target and their Facebook friends' private data, such as finding posts with certain text or seeing if they have photos taken at a specific location. Moreover, it's not known that since how long this vulnerability has existed and has been exploited in the wild.

The bug is reportedly not unique to Facebook. "We appreciate this researcher's report to our bug bounty program", said Margarita Zolotova, Facebook spokesperson.

Share