This Facebook bug allowed websites to access users' personal information
When it comes Facebook, the news is mostly related to privacy. The company revealed details of a major data breach in September, and now, security researchers have confirmed that the platform had another bug, one that opened gates for accessing personal information of Facebook users. The social network, on its part, says the vulnerability was not abused and patched soon after discovery. Here's more.
The bug allowed information to cross over domains
According to a researcher from security firm Imperva, Facebook search results were not properly protected from cross-site request forgery - a form of web-based, one-click attack. This way, bad actors could have easily created and used malicious websites using an iFrame (used for embedding videos or web pages within web pages) to collect information from Facebook users as well as their friends, TechCrunch reported.
How attackers could have gained information?
Only visiting and clicking anywhere on the malicious website while being logged into Facebook would have allowed attackers to steal information. They could have opened a pop-up and run any number of queries related to the Facebook account of the targeted user. This would have provided information related to the likes and interests of the user in simple 'yes' or 'no' responses.
What kind of information was at risk?
This vulnerability could have revealed information like if a user has taken a photo at a particular place or has posted content with some specific keywords. It could have also revealed whether the user or their friends liked a particular company's Facebook page or not. Attackers could have even used it to learn about your friends with a particular name or certain religion.
Statement from the researcher who found the bug
"The vulnerability exposed the user and their friends' interests, even if their privacy settings were set so that interests were only visible to the user's friends," the researcher who found the bug told TechCrunch.
Facebook's response to the situation
Imperva disclosed the bug back in May, following which Facebook issued a fix by adding necessary protections. The company also awarded a bounty of $8,000 to the researcher who found the vulnerability in the first place. "We appreciate this researcher's report to our bug bounty program," a representative told The Verge. "We've fixed the issue in our search page and haven't seen any abuse."
Fix issued, but concerns remain
Though Facebook has issued a fix for the bug and is working progressively to keep user data safe, privacy concerns still remain. Prior to this incident, the company revealed a data breach affecting 30 million users, and before that, it was the infamous Cambridge Analytica scandal. Even private messages from some 81,000 hacked Facebook accounts had also been posted for sale, just recently.
