Facebook has received a lot of criticism lately due to mishandling of user data because of security vulnerabilities and now another one has come to light. A security company by the name of Imperva has provided details about another Facebook vulnerability that could have exposed information about users and their friends.
The vulnerability reportedly enabled websites to access private information about Facebook users and their friends through unauthorized access to a company API via a specific behavior in the Chrome browser. This vulnerability was disclosed to Facebook in May which was then patched.
To exploit the vulnerability, attackers would perform what’s referred to as cross-site request forgery. It would require a Facebook user to visit a malicious website with Chrome and then click anywhere on that site when they’re still logged in on Facebook. This would enable attackers to open a new pop-up or tab to the Facebook search page and run queries to access the user’s personal information.
Imperva provides examples of queries which include checking if the user has taken photos in a particular location or if they have written any posts with specific text. The vulnerability could thus be used to find out the interests of the user and their friends even if they had privacy settings configured in such a way that the information would only be visible to their friends.
“We appreciate this researcher’s report to our bug bounty program,” Facebook said in a statement, adding that “We’ve fixed the issue in our search page and haven’t seen any abuse. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
Filed in . Read more about Facebook.