Facebook again appears in the media in a case involving the privacy of its users. Security firm Imperva has released details about a vulnerability in the social network that may have left user data exposed. Through the bug, websites could obtain private information about Facebook users and their friends through unauthorized access to a company API, using a specific behavior in the Google Chrome browser. The bug was reported to Facebook and resolved in May.
The attack in question is a cross-site request forgery via a legitimate Facebook login in an unauthorized manner. For the attack to work, a user needed to visit a malicious website with Chrome, and then click anywhere on the website while logged into Facebook. Only then will attackers be able to open a new popup or tab on the Facebook search page and be able to run a number of queries to extract personal information.
Imperva cites checking whether a user has taken photos in a certain location or country, whether the user has written recent posts that have specific text, or whether a user's friends like a certain company's Facebook page. The vulnerability exposed the interests of its users and friends, even if privacy settings were changed.
According to Facebook to The Verge, the underlying vulnerability could also affect other websites. "We appreciate this researcher's report to our bug bounty program," a representative told The Verge. "We fixed the issue on our search page and did not see any abuse. As the underlying behavior is not specific to Facebook, we have made recommendations to browser creators and relevant web standards groups to encourage them to take steps to prevent this type of problem occurs in other web applications".
Source: The Verge
