SECURITY
SECURITY
SECURITY
Facebook patches bug that could have allowed outsiders to steal user data
Facebook Inc. has patched a bug that could have allowed other parties to access data from user profiles without permission, including interests and likes.
Discovered by Ron Masas, security researcher at Imperva Inc., the bug exposed Facebook search results to a cross-site request forgery attack. A CSRF attack is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
“A unique feature of the uncovered bug is the exploitation of the Iframe element within Facebook’s search feature,” Masas told SiliconANGLE Tuesday. “This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends.”
The attack requires tricking a Facebook user to open a malicious site and click anywhere on the site, prompting the opening of a popup or a new tab to the Facebook search page. From there, the attacker can force the user to execute any search query, including the ability to craft search queries that reflect personal information about the user.
Fortunately, there are no cases of the bug being implemented and Facebook patched it before the details were made public.
“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company,” Masas explained. “Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.”
Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year. “Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iFrames to leak the user’s personal information,” Masas added. “Interestingly, this technique leaves almost no trace, unlike authentication bypasses.”
Photo: nodstrum/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
