Facebook had a bug that allowed websites to catch data from user’s profiles, such as their interests and likes, with them being unconscious about the vulnerability. But thankfully, few days after Ron Masas, Imperva’s security researcher has flagged the issue in May, Facebook had fixed the bug.
Masas found that the vulnerability came from Facebook search results, wherein it is not properly protected from cross-site request forgery (CSRF) attacks. For example, a website or a person running the website could have secretly got some of your data from your logged-in Facebook profile in another tab.
He realized that just by looking for an iframe inside the search results page, he could just easily determine if a search query has returned a positive or negative result. Masas says that he could see any info like if a user’s liked page, photos at certain geographical locations, friends of a certain religion in their friends list, shared posts with a specific text, friends with a particular name, friends living in a specific city or country, and many more simply using a yes and no questions.
He also said that it is easy to let users become unconscious with this attack, all you need is to make them engaged on a particular article, video, picture, or any content. Masas also said that this issue is highly vulnerable with mobile browsers as the actual tabs are hidden below each other.
Thankfully a Facebook spokesperson said that there was no data loss happened and no user were compromised. The company even awarded Imperva $8,000 in two separate bug bounty rewards.
“We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”, a Facebook Spokesperson says.
Facebook is really getting a lot of security issues, and this is the latest revelation to surface out this year. Stay tuned with TechnoCodex and we will keep you updated.
For the latest tech news and updates follow TechnoCodex on Facebook, Twitter, Google+. Also, if you like our efforts, consider sharing this story with your friends, this will encourage us to bring more exciting updates for you.