Facebook Patches Bug that Exposed Private Information

Thursday, November 15, 2018

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

Facebook recently addressed a vulnerability that could have allowed anyone to access private information about users and their contacts.

The vulnerability, Imperva security researcher Ron Masas explains, was found in Facebook’s online search function. He discovered that the HTML code for every search result contained an iframe element that could be exploited maliciously.

The issue is that the endpoint that expects a GET request with a number of search parameters is now cross-site request forgery (CSRF) protected. This allow users to share the search results page via a URL, but most users won’t take action, which makes it a non-issue.

When it comes to the Facebook online search, however, the problem is that the CSRF bug can be combined with the fact that iframes are exposed in part to cross-origin documents.

An attacker looking to abuse the vulnerability would need to trick a user into opening their malicious website and click anywhere there. The malicious site would only need to be running JavaScript.

The user interaction triggers a popup or a new tab to the Facebook search page, and the attacker forces the user to execute any search query they want.

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property. By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,” Masas explains.

The security researcher, who published a proof-of-concept video, notes that he was able to extract a variety of private user data by exploiting the issue.

Such information included details on whether the user had friends from Israel or friends named “Ron,” whether the user had taken photos in certain locations/countries, if they had Islamic friends or Islamic friends living in the UK, and even if the user or their friends wrote a post containing a specific text.

The process, the researcher explains, can be repeated without the need for a new popup or tab, as the attacker has control over the location property of the Facebook window through running a specific snippet of code.

“This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” the security researcher says.

The attacker doesn’t even need a Facebook account to extract said information, Imperva told SecurityWeek in an email. The security firm also said that Facebook, who was alerted on the bug in May, issued two bounties (mobile and desktop), for the total amount of $8,000.

Related: Facebook Says 50M User Accounts Affected by Security Breach

Related: Facebook Asks Big Banks to Share Customer Details

24391
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.