UPDATED 21:45 EST / NOVEMBER 13 2018

SECURITY

Facebook patches bug that could have allowed outsiders to steal user data

Facebook Inc. has patched a bug that could have allowed other parties to access data from user profiles without permission, including interests and likes.

Discovered by Ron Masas, security researcher at Imperva Inc., the bug exposed Facebook search results to a cross-site request forgery attack. A CSRF attack is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

“A unique feature of the uncovered bug is the exploitation of the Iframe element within Facebook’s search feature,” Masas told SiliconANGLE Tuesday. “This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends.”

The attack requires tricking a Facebook user to open a malicious site and click anywhere on the site, prompting the opening of a popup or a new tab to the Facebook search page. From there, the attacker can force the user to execute any search query, including the ability to craft search queries that reflect personal information about the user.

Fortunately, there are no cases of the bug being implemented and Facebook patched it before the details were made public.

“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company,” Masas explained. “Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.”

Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year. “Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iFrames to leak the user’s personal information,” Masas added. “Interestingly, this technique leaves almost no trace, unlike authentication bypasses.”

Photo: nodstrum/Flickr

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.