Facebook patches vulnerability that could have exposed usera data

Alfred Osborne
November 15, 2018

Facebook had a bug that allowed websites to catch data from user's profiles, such as their interests and likes, with them being unconscious about the vulnerability.

"This allowed information to cross over domains - essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends", Masas said.

Facebook fixed the issue in May and there's no indication that the flaw was successfully exploited by hackers. Get out while you still can. "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook's use of iFrames to leak the user's personal information", Masas added. "This is especially unsafe for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker's site", he explained.

The attack would surely not work if users have two-three tabs opened in their desktop browser and they see a new Facebook tab being opened, but since most users tend to keep a large number of tabs in the tab bar, there's a high chance most users won't even see the attack going on -especially if they're focused on the attacker's malicious page, which should be easy if the page delivers a game, news article, or video.

Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May.

For an attack to have worked, a hacker would've had to trick a person logged in to Facebook into opening up a malicious website.

Rory McIlroy's plan to reduce European Tour events disappoints Paul McGinley
As the last of the eight Rolex Series events on the tour, the tournament carries a purse of $8 million (Dh29.4m). Here's how to watch the DP World Tour Championship on TV, online and even without Sky Sports.

Deepika Padukone & Ranveer Singh Wedding: The Couple Spotted Donning White & Red!
Bollywood superstars Deepika Padukone and Ranveer Singh have tied the knot in Italy , Indian media reported Thursday. Today post their Konkani wedding , the couple also hosted a grand party for their guests at Lake Como .

Wellington to host All Blacks vs Springboks pre-RWC clash
New Zealand won their fifth Women's Rugby World Cup previous year after they beat England 41 - 32 in a pulsating final in Belfast. The country was up against Australia in a vote conducted by the World Rugby Council in Dublin on Wednesday.

Facebook search wasn't set up at the time for protection against cross-site request forgery, which means that it inherently trusted the browser that you used to navigate the site. By manipulating Facebook's graph search, it was possible to craft search queries that reflected personal information about the user.

Attackers could determine in what place and in what country made photo users, as well as having access to read messages from users with a specific text.

News of the bug comes amid increased scrutiny for Facebook following a string of data privacy scandals. An error was identified in may, then they reported it to management Facebook.

"We appreciate this researcher's report to our bug bounty program", said a Facebook spokesperson today in a statement.

"Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company".

Other reports by

Discuss This Article