The security company Imperva has released new details on a Facebook vulnerability that could have exposed user data. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser. The bug was disclosed to Facebook and resolved in May.
In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information.
Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user’s friends like a company’s Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user’s friends.
Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019.
Reached by The Verge, Facebook emphasized that the underlying vulnerability could affect other websites as well. “We appreciate this researcher’s report to our bug bounty program,” a representative told The Verge. “We’ve fixed the issue in our search page and haven’t seen any abuse. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
This is far from the first time Facebook has faced security issues with its users’ data. Most notable was the Cambridge Analytica scandal from earlier this year, where millions of users had their information misused by the data mining firm. There was also a recent cyber attack where information from millions of Facebook accounts was accessed, including users’ current city and 15 most recent searches. In March, Mark Zuckerberg said in an interview on CNN regarding Cambridge Analytica that “this was a major breach of trust, and I’m really sorry this happened. Our responsibility now is to make sure this doesn’t happen again.”