We all know the scrutiny Facebook has been in regards to data protection, and at the start of the year, Facebook was once again under the lights for the Cambridge Analytica scandal. This time there has been yet another security vulnerability reported in Facebook that could have allowed attackers to obtain certain personal information of users and their family and friends, Potentially putting the privacy of users of the world’s most popular social network at risk. Throughout this article, we will analyse the vulnerability and demonstrate how it works.
This vulnerability was discovered by Ron Marsas, a Cybersecurity researcher from Imperva. According to Ron Masas, the flaw displays search results that include iFrame elements associated with each outcome, where the endpoint URLs of those iFrames did not have any protection mechanisms in place to protect against cross-site request forgery (CSRF) attacks.
How does this Vulnerability work?
All that attackers need to do to exploit this vulnerability is to simply trick the user into visiting a malicious site on their web browser where they have already logged into their Facebook accounts. The malicious site will then have a javascript code that will get executed in the background as soon as the victim (user) clicks anywhere on that page.
“For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or new tab to the Facebook search page, forcing the user to execute any search query we want,” Masas explained in a blog post.
In the video below Masas demonstrates the JavaScript code opens a new tab or window to extract targeted information. Searching something on Facebook seems less lucrative, especially when the exploit code returns the result in just yes or no.
However, if used correctly, Facebook’s search feature could be exploited to extract sensitive information related to your Facebook account, such as checking:
- If you have a friend with a specific name or a keyword in his/her name
- If you like a particular page or are a member of a specific group
- If you have a friend who likes a particular page
- If you have taken photos in a certain location or country
- If you have ever posted a photo taken at certain places/countries
- If you have ever posted an update on your timeline containing a specific text/keyword
And so on… any custom query you can come up with.
“This process can be repeated without the need for new popups or tabs to be open since the attacker can control the location property of the FAcebook window,” Masas added. “This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site.”
In short, this vulnerability exposed the interests and activities of targeted users and their friends even if their privacy settings are set in a way that this information can only be visible to them or their friends.
The good news is that Imperva responsible reported the bug to Facebook through the company’s vulnerability disclosure program in May 2018, and the social giants have now resolved the issue by adding CSRF protections. However, even tho this has now been patched your sensitive information could have already been leaked!
We recommend you go on to ‘haveibeenpwned‘ and type your facebook email login to see if you’ve been hacked.
Other Articles You May Enjoy:
Share your thoughts in the Comments section: