Facebook Bug Allowed Websites To Grab Unsuspecting Users' Personal Data

Doris Richards
November 15, 2018

The now-defunct data analysis firm from the United Kingdom got hold of information including likes and friends' interests from 87 million accounts on Facebook, without users' permission. The hack could allow attackers to know information such as the names of the user's friends, liked pages, interests, and know particular posts by using certain keywords. Facebook is said to have fixed it just days later. Get out while you still can. The vulnerability was tied to Facebook on Google's Chrome browser, which accounts for more than 60 percent of browsers used online. "This is especially unsafe for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker's site", he explained.

TechCrunch reported Tuesday, November 13, that Imperva security researcher Ron Masas discovered Facebook search results were not protected from cross-site request forgery (CSRF) attacks.

In this scenario, it was found out that the attack could siphon data from Facebook with you logged in on another browser tab. By manipulating Facebook's graph search, it was possible to craft search queries that reflected personal information about the user.

Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year.

He also said that it is easy to let users become unconscious with this attack, all you need is to make them engaged on a particular article, video, picture, or any content. Masas also said that this issue is highly vulnerable with mobile browsers as the actual tabs are hidden below each other.

Fortunately, there are no cases of the bug being implemented and Facebook patched it before the details were made public.

The company awarded Imperva $8,000 in two separate bug bounty rewards. And it means the bug "exposed the user and their friends' interests, even if their privacy settings were set so that interests were only visible to the user's friends", notes Masas.

Another Facebook vulnerability has been found that could have exposed information about users and their friends. And given that Masas was on a vulnerability hunt, we suspect that such a bug isn't something that opportunistic hackers would stumble across.

"We appreciate this researcher's report to our bug bounty program", a spokesperson said in a statement.

Other reports by Iphone Fresh

Discuss This Article