Social Media
Facebook bug let websites read ‘likes’ and interests from a user’s profile
Facebook has fixed a bug that let any website pull information from a user’s profile — including their ‘likes’ and interests — without that user’s knowledge.
That’s the findings from Ron Masas, a security researcher at Imperva, who found that Facebook search results weren’t properly protected from cross-site request forgery (CSRF) attacks. In other words, a website could quietly siphon off certain bits of data from your logged-in Facebook profile in another tab.
Masas demonstrated how a website acting in bad faith could embed an IFRAME — used to nest a webpage within a webpage — to silently collect profile information.
“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
The malicious website could open several Facebook search queries in a new tab, and run queries that could return “yes” or “no” responses — such as if a Facebook user likes a page, for example. Masas said that the search queries could return more complex results — such as returning all a user’s friends with a particular name, a user’s posts with certain keywords, and even more personal demographics — such as all of a person’s friends with a certain religion in a named city.
“The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” he said.
In fairness, it’s not a problem unique to Facebook nor is it particularly covert. But given the kind of data available, Masas said this kind of data would be “attractive” to ad companies.
Imperva privately disclosed the bug in May. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties.
Facebook told TechCrunch that the company hasn’t seen any abuse.
“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
It’s the latest in a string of data exposures and bugs that have put Facebook user data at risk after the Cambridge Analytica scandal this year, which saw a political data firm vacuum up profiles on 87 million users to use for election profiling — including users’ likes and interests.
Months later, the social media giant admitted millions of user account tokens had been stolen from hackers who exploited a chain of bugs.
-
Entertainment6 days ago
Summer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
-
Business7 days ago
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
-
Entertainment5 days ago
What’s on the far side of the moon? Not darkness.
-
Business5 days ago
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
-
Business6 days ago
Thoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
-
Business4 days ago
TikTok faces a ban in the US, Tesla profits drop and healthcare data leaks
-
Business4 days ago
London’s first defense tech hackathon brings Ukraine war closer to the city’s startups
-
Business6 days ago
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs