Cyber security firm Imperva has released fresh information on a Facebook bug that could have allowed others to stealthily get details such as “likes” and “interests” without the consent of the user. Facebook was notified about the vulnerability in May by Imperva and the issue was resolved shortly by the social networking firm.
Imperva’s security researcher Ron Masas, who was the first one to spot the issue claims that the vulnerability was associated with the Facebook’s Search feature. He revealed that a malicious website opened in another tab could steal sensitive data from logged in Facebook account.
When the user clicked anywhere on the malicious site, it would open Facebook search on a background tab. The user would remain focused on the malicious page that could be an online game or an online streaming site. Most users may not pay attention to the background tab thinking that it could be just another ad. While the user spends his time on the malicious site, the hacker could run multiple queries on Facebook searches to get the users personal information.
Watch: How the attack works
Masas has shared a video to reveal how the attack works. The hack could allow attackers to know information such as the names of the user’s friends, liked pages, interests, and know particular posts by using certain keywords. Even if the privacy settings were set to show interests only to the friends of the user, the bug could reveal the information to the hacker.
The bug has been fixed by adding CSRF protections and Facebook has also offered $8,000 in two separate bug countries to Imperva. Commenting on the issue Facebook spokesperson Margarita Zolotova said that, “We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
Facebook has encountered several user data mishaps in the recent past. Earlier this year, Facebook had shared user data of nearly 87 million users’ data for election profiling to Cambridge Analytica in the U.S. In the previous month, the social networking site had confirmed that a security flaw with its “view as” feature provided hackers with access to 50 million accounts.