Security firm Imperva found a bug in May that allowed websites to read Facebook users and their friends’ private information. The troubling vulnerability let a site access users’ likes and interests through a manipulated Facebook Graph query. Thankfully, the bug has now been fixed
Imperva’s researcher Ron Masas discovered in May that Facebook was exposed to cross-site request forgery (CSRF). That means another website can access a logged-in Facebook user’s data through queries in code.
To exploit the bug, a site can embed an IFRAME – a site within a site – to siphon off data from a user. When a logged-in Facebook user visits a website with malicious code and clicks anywhere, the script will begin to gather data by sending queries to the social network, like “Does the user like running?” or “Does the user have friends in Canada?” You can see an example in the video below.
Masas found this bug while researching a Chrome vulnerability that allowed hackers to steal Facebook users’ private info. He said that it also allowed accessing users’ friends’ data even if the information was kept visible only to friends. He added that through more complex queries, it was possible to find information about a person’s religion, or a circle of friends living in a particular area.
A Facebook spokesperson told TechCrunch in a statement that there was no data loss:
We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.
The company awarded Imperva $8,000 in two separate bug bounty rewards.
This is the latest revelation in Facebook’s bug-filled year. Prior to this, the company faced a data breach in September affecting 29 million users. As Facebook collects more data on its users, it’ll need to be extra careful opening up access to it for third-parties in order to protect people’s privacy.