A new security vulnerability has been reported in Facebook, the flaw could have been exploited by attackers to obtain certain personal information about users and their network of contacts.
The recently discovered issue raises once again the concerns about the privacy of the users of social network giant.
The vulnerability was discovered by security experts from Imperva, it resides in the way Facebook search feature displays results for queries provided by the users.
The good news for Facebook users is that this flaw has already been patched and did not allow attackers to conduct massive scraping of the social network for users’ information.
The page used to display the results of the users’ queries includes iFrame elements associated with each result, experts discovered that the URLs associated to those iFrames is vulnerable against cross-site request forgery (CSRF) attacks.
“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.
By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.”
Searching something like “pages I like named `Imperva`” the exports noticed they were forcing the social network to return one result if the user liked the Imperva page or zero results if not.
Composing specific queries it was possible to extract data about the user’s friends, below some interesting examples of queries provided by the experts:
Below the video PoC published by Imperva:
The process can be repeated without the need for new popups or tabs to be open because the attacker can control the location property of the Facebook window using the following code.
Experts pointed out that mobile users are particularly exposed to such kind of attack because it is easy for them to forget open windows in the background allowing attackers to extract the results for multiple queries.
Imperva reported the flaw to Facebook through the company’s vulnerability disclosure program in May 2018, and the social network addressed the problem in a few days implementing CSRF protections.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – BCMPUPnP_Hunter botnet, hacking)