Facebook’s New Dilemma, Silently Patched
Facebook has silently patched a vulnerability very recently that enabled 3rd party sites to extract user information without seeking the consent of individual users first. The aggregate data extraction includes user “likes”, and all its subcategories. It is unfortunate that 2018 is not a good year for Facebook, after that very damaging 30 million Facebook accounts hacked in the previous months, the aftershocks are still being felt by its users.
This type of data input manipulation is nothing new, also known as a cross-site request forgery attack. However, it goes to show how Facebook’s engineers, especially their webmasters have been lax with security. This is in the wake of Facebook dealing with the aftermath of the big time 30 million accounts getting breached a couple of months ago.
“This process can be repeated without the need for new popups or tabs to be open since the attacker can control the location property of the Facebook window. This is especially dangerous for mobile users since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” added Masas.
Facebook has fully recognized the bug in their system and has acknowledged the help of the community in keeping the site as secure as possible. “We appreciate this researcher’s report to our bug bounty program. We’ve fixed the issue in our search page and haven’t seen any abuse. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications,” explained a Facebook representative.
“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends. The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” concluded Masas.
With this episode, the security researchers are very hard at work to discover new vulnerabilities with the social media giant. Facebook may need to increase the rewards they provide in their bounty hunter program, as only 3rd parties can help the company discover vulnerabilities that cannot be detected by their developers alone.
Kevin Jones937 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.