We all know the scrutiny Facebook has been in regards to data protection, and at the start of the year, Facebook was once again under the lights for the Cambridge Analytica scandal. This time there has been yet another security vulnerability reported in Facebook that could have allowed attackers to obtain certain personal information of users and their family and friends, Potentially putting the privacy of users of the world’s most popular social network at risk. Throughout this article, we will analyse the vulnerability and demonstrate how it works.
This vulnerability was discovered by Ron Marsas, a Cybersecurity researcher from Imperva. According to Ron Masas, the flaw displays search results that include iFrame elements associated with each outcome, where the endpoint URLs of those iFrames did not have any protection mechanisms in place to protect against cross-site request forgery (CSRF) attacks.
How does this Vulnerability work?
However, if used correctly, Facebook’s search feature could be exploited to extract sensitive information related to your Facebook account, such as checking:
- If you have a friend with a specific name or a keyword in his/her name
- If you like a particular page or are a member of a specific group
- If you have a friend who likes a particular page
- If you have taken photos in a certain location or country
- If you have ever posted a photo taken at certain places/countries
- If you have ever posted an update on your timeline containing a specific text/keyword
And so on… any custom query you can come up with.
“This process can be repeated without the need for new popups or tabs to be open since the attacker can control the location property of the FAcebook window,” Masas added. “This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site.”
In short, this vulnerability exposed the interests and activities of targeted users and their friends even if their privacy settings are set in a way that this information can only be visible to them or their friends.
The good news is that Imperva responsible reported the bug to Facebook through the company’s vulnerability disclosure program in May 2018, and the social giants have now resolved the issue by adding CSRF protections. However, even tho this has now been patched your sensitive information could have already been leaked!
We recommend you go on to ‘haveibeenpwned‘ and type your facebook email login to see if you’ve been hacked.
Other Articles You May Enjoy: