Home Articles How the Facebook Bug could have Exposed User Data

How the Facebook Bug could have Exposed User Data


Recently, Facebook suffered privacy leak after a bug allowed other websites to suck up data from user’s profiles. Read on to know more about it…

The social networking platform Facebook has once again compromised the privacy after a bug allowed other websites to view data from user’s profiles. The vulnerability found by Imperva security researcher Ron Masas back in May this year, Facebook quickly supressed the bug but its details have now surfaced through the media.

If the bug is exploited, it could have allowed user data such as ‘likes’ and interests to be harvested; not exactly a major data deluge but an infringement on privacy of users.

The Bug
The bug which has now been fixed by Facebook. Masas found that search results on Facebook weren’t fully protected. Basically, the search results lacked security against a cyber-attack known as a Cross-Site Request Forgery (CSRF) which could embed iFRAME to access portions of user data from your logged-in Facebook profile. This means any website could easily access some of your data from your logged-in Facebook profile.

Masas explains that the vulnerability allowed the malicious websites to use an iFrame to open a Facebook tab and siphon information. He said that the vulnerability revealed the user as well as their friends’ interests even if their privacy settings were such so that only user’s friends could see their interests.

The vulnerability could be used by the ad companies to micro-target its audience.

Working Mechanism
In researching a vulnerability in the Chrome browser, Ron Masas noted an iFrame element in the HTML of Facebook’s online search results, likely used for Facebook’s internal tracking processes. However, iFrames can be used to embed materials and as such are “exposed in part to cross-origin documents” unlike other web elements. That element, along with the fact that Facebook’s search page is effectively an endpoint that expects a GET request (a method of retrieve information from a server in response to a specific query) with search parameters in order to serve up results is not protected against cross-site request forgery, allowed Masas to come up with a data extracting hack.

Masas explained “For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or a new tab to the Facebook search page, forcing the user to execute any search query we want,”

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.

“By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.

“For example, by searching: “pages I like named ‘Imperva'” we force Facebook to return one result if the user liked the Imperva page or zero results if not.”

After this process, an attacker could basically infer a target and their Facebook friends’ private data, such as finding posts with certain text or seeing if they have photos taken at a specific location. All dodgy stuff.

But Facebook told TechCrunch that it hasn’t seen any abuse of the vulnerability. And given that Masas was on a vulnerability hunt, we suspect that such a bug isn’t something that opportunistic hackers would stumble across.

But now, Facebook has fixed the bug that let other websites access any user’s information. Facebook has told TechCrunch that the issue has been fixed now and it did not receive any reports of the misuse of this vulnerability.


Please enter your comment!
Please enter your name here

94 − 84 =