Facebook Bug Let Websites Access Private User Data
Security researcher at Imperva has indentified a vulnerability within Facebook which could easily allow other websites to extract the private information about users and their contacts.
The security researcher who found this vulnerability is Ron Mases, the vulnerability reportedly preyed on the unique cross-origin behavior of iframes, which embeds another HTML page into current page. By manipulating Facebook’s graph search, it was easily possible to craft search queries that reflected personal information about the user.
“A unique feature of the uncovered bug is the exploitation of the iframe element within Facebook’s search feature. This allowed information to cross over domains, essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company. Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.
Warning that the technique could increase in popularity throughout 2019, Masas added, “Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iframes to leak the user’s personal information. Interestingly, this technique leaves almost no trace unlike authentication bypasses.”
According to Imperva, this vulnerability was reported to Facebook under its responsible disclosure program in May 2018. Mases worked with the Facebook security team to mitigate regressions and ensure that the issue was thoroughly resolved.
In a statement shared with TechCrunch, Facebook spokesperson Margarita Zolotova wrote, “We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”