
discovered a bug back in May that would have allowed potential hackers to access private information on Facebook users and their friends.
Ron Masas from Imperva figured out that each of Facebook’s online search results contained an iFrame element in their HTML which apparently allowed the researcher to see if a query was answered with yes or no. Asking and querying the right questions allowed him to access all kind of user information.
Of course not all data is publicly available – but this “issue” was easily solved by creating a malicious page. Unsuspecting users that were lured on it just had to click somewhere to trigger a JavaScript, which then would allow potential attackers to run as many queries as they wanted in order to extract personal information.
The queries itself would run questions that return yes and no answers, something like “does the user like the [insert random page name] page”. According to Masas the vulnerability exposed the user and their friends’ interests – no matter what the privacy settings were saying.
Take a look at the video in order to see how the vulnerability is exploited:
Some other interesting examples of data which Masas was able to extract are:
Imperva and Facebook started to fix the issue immediately after its disclosure so there is no need for you to worry.