It has not been Facebook’s year. Like at all. Cambridge Analytica, 30 million accounts that were affected by a hack, and privacy issues were the things that plagued the social network and its user base.
Yet there’s more. A security researcher at Imperva discovered a bug back in May that would have allowed potential hackers to access private information on Facebook users and their friends.
User information up for grabs
Ron Masas from Imperva figured out that each of Facebook’s online search results contained an iFrame element in their HTML which apparently allowed the researcher to see if a query was answered with yes or no. Asking and querying the right questions allowed him to access all kind of user information.
Of course not all data is publicly available – but this “issue” was easily solved by creating a malicious page. Unsuspecting users that were lured on it just had to click somewhere to trigger a JavaScript, which then would allow potential attackers to run as many queries as they wanted in order to extract personal information.
Privacy settings don’t matter
The queries itself would run questions that return yes and no answers, something like “does the user like the [insert random page name] page”. According to Masas the vulnerability exposed the user and their friends’ interests – no matter what the privacy settings were saying.
Take a look at the video in order to see how the vulnerability is exploited:
Some other interesting examples of data which Masas was able to extract are:
- Check if the current Facebook users have friends from Israel: https://www.facebook.com/search/me/friends/108099562543414/home-residents/intersect
- Check if the user has friends named “Ron”: https://www.facebook.com/search/str/ron/users-named/me/friends/intersect
- Check if the user has taken photos in certain locations/countries: https://www.facebook.com/search/me/photos/108099562543414/photos-in/intersect
- Check if the current user has Islamic friends: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/intersect
- Check if the current user has Islamic friends who live in the UK: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/106078429431815/residents/present/intersect
- Check if the current user wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_me%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
- Check if the current user’s friends wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_friends%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
Imperva and Facebook started to fix the issue immediately after its disclosure so there is no need for you to worry.
This post is also available in: German
