Security agency Imperva found a bug in May that allowed websites to read Facebook users and their friends’ private information. The troubling vulnerability let a website entry users’ likes and interests by means of a manipulated Facebook Graph question. Thankfully, the bug has now been fastened
Imperva’s researcher Ron Masas found in May that Facebook was uncovered to cross-site request forgery (CSRF). That means one other web site can entry a logged-in Facebook person’s data by means of queries in code.
To exploit the bug, a website can embed an IFRAME – a website inside a website – to siphon off data from a person. When a logged-in Facebook person visits a web site with malicious code and clicks wherever, the script will start to collect data by sending queries to the social community, like “Does the user like running?” or “Does the user have friends in Canada?” You can see an instance within the video under.
Masas discovered this bug whereas researching a Chrome vulnerability that allowed hackers to steal Facebook customers’ non-public data. He stated that it additionally allowed accessing customers’ pals’ data even when the knowledge was saved seen solely to pals. He added that by means of extra advanced queries, it was attainable to discover details about an individual’s faith, or a circle of pals residing in a selected space.
We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.
The company awarded Imperva $8,000 in two separate bug bounty rewards.
This is the latest revelation in Facebook’s bug-filled year. Prior to this, the company faced a data breach in September affecting 29 million users. As Facebook collects extra data on its customers, it’ll want to be further cautious opening up entry to it for third-parties so as to shield folks’s privateness.