UPDATED 21:45 EST / NOVEMBER 13 2018


Facebook patches bug that could have allowed outsiders to steal user data

Facebook Inc. has patched a bug that could have allowed other parties to access data from user profiles without permission, including interests and likes.

Discovered by Ron Masas, security researcher at Imperva Inc., the bug exposed Facebook search results to a cross-site request forgery attack. A CSRF attack is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

“A unique feature of the uncovered bug is the exploitation of the Iframe element within Facebook’s search feature,” Masas told SiliconANGLE Tuesday. “This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends.”

The attack requires tricking a Facebook user to open a malicious site and click anywhere on the site, prompting the opening of a popup or a new tab to the Facebook search page. From there, the attacker can force the user to execute any search query, including the ability to craft search queries that reflect personal information about the user.

Fortunately, there are no cases of the bug being implemented and Facebook patched it before the details were made public.

“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company,” Masas explained. “Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.”

Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year. “Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iFrames to leak the user’s personal information,” Masas added. “Interestingly, this technique leaves almost no trace, unlike authentication bypasses.”

Photo: nodstrum/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy