Published: Thu, November 15, 2018
Tech | By

Facebook bug allowed websites to see users’ likes and interests

Facebook bug allowed websites to see users’ likes and interests

Your Facebook likes, posts and friends were exposed by a vulnerability the social network recently fixed. Basically the search results lacked security against a cyber attack known as a Cross-Site Request Forgery (CSRF) which could embed iFRAME to access portions of user data from your logged-in Facebook profile. "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook's use of iFrames to leak the user's personal information", Masas added. The security company detailed the flaw in a blog post on Tuesday morning.

"As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications", Facebook said.

The attack requires tricking a Facebook user to open a malicious site and click anywhere on the site, prompting the opening of a popup or a new tab to the Facebook search page.

From there, the attacker could've created searches to look for personal information, viewing your list of friends, for example, what pages you've liked, and what pages your friends have liked.

Imperva's security researcher Ron Masas, who was the first one to spot the issue claims that the vulnerability was associated with the Facebook's Search feature.


He also said that it is easy to let users become unconscious with this attack, all you need is to make them engaged on a particular article, video, picture, or any content. Masas also said that this issue is highly vulnerable with mobile browsers as the actual tabs are hidden below each other. Even if the privacy settings were set to show interests only to the friends of the user, the bug could reveal the information to the hacker.

Data like this can be extremely valuable to outside firms, as Facebook's Cambridge Analytica scandal demonstrated back in March.

In September, Facebook said hackers had stolen personal information on 29 million people using vulnerabilities tied to its View As feature.

The bug is reportedly not unique to Facebook. Prior to this, the company faced a data breach in September affecting 29 million users.

For the latest tech news and updates follow TechnoCodex on Facebook, Twitter, Google+.

Like this: