Published: Thu, November 15, 2018
Electronics | By Kelly Massey

Facebook Bug Allowed Websites To Grab Unsuspecting Users' Personal Data

Facebook Bug Allowed Websites To Grab Unsuspecting Users' Personal Data

Cybersecurity company Imperva recently revealed details on a Facebook vulnerability that would have allowed malicious websites to obtain users' personal information.

He realized that just by looking for an iframe inside the search results page, he could just easily determine if a search query has returned a positive or negative result. With Facebook having faced multiple privacy issues in recent times, its data slips will be under close scrutiny for the foreseeable future, even if attackers didn't exploit this particular bug. Basically the search results lacked security against a cyber attack known as a Cross-Site Request Forgery (CSRF) which could embed iFRAME to access portions of user data from your logged-in Facebook profile.

Attackers could have run queries with certain graph searches, such as to find out whether you liked a page, if you took photos at a certain location or if you or your friends used specific keywords in your posts.

A video demonstrating how the hack works shows a pop-up window where the attackers type in the questions. The vulnerability was tied to Facebook on Google's Chrome browser, which accounts for more than 60 percent of browsers used online. If the user interacts with this page in any possible manner such as scrolling or clicking, the page will automatically execute malicious JavaScript code that will automate the search queries in a new tab.

Chelsea facing two-year transfer ban?
The club also admitted they had paid his mother £155,000 in April 2011 to acquire a first-refusal option to sign him. Both clubs are in the European Union or European Economic Area and the player is aged between 16 and 18.


Warning that the technique could increase in popularity throughout 2019, Masas added, "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook's use of iframes to leak the user's personal information".

Facebook has since patched the bug. They could also search for posts that contained specific text from the user or their friends.

"We appreciate this researcher's report to our bug bounty program", said Facebook spokesperson Margarita Zolotova in a statement.

The bug has been fixed by adding CSRF protections and Facebook has also offered $8,000 in two separate bug countries to Imperva. "As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications".

Like this: