The Bug Exposed Facebook Users And Their Friends’ Interests Was Fixed Shortly After

Author - Nov 15, 2018

Malicious websites exploited a bug on the Facebook website to see users’ likes and interests while they had no idea.

Facebook has seemingly had a year full of difficulties when facing the scandals including security breaches and hacks. A security researcher recently revealed another bad luck for the company.

As per this revelation, malicious websites exploited a bug on the website Facebook.com to see users’ likes and interests while they had no idea.

Ron Masas, a security researcher of Imperva detected the bug in May 2018. He reportedly uncovered that search results on Facebook were the key reason for the attacks of Cross-Site Request Forgery (CSRF for short).

CSRF, also known as Sea Surfing, is a type of attack that the web browser is cheated to run a task inside an application logged in by users. As a consequence, the attack will affect both end users and businesses.

In the case of Facebook, user’s data was siphoned on another browser tab and then, an IFrame could be embedded by a website to make use of their data while they were unaware.

He further explained that the IFrame HTML document was used to “allow information to cross over domains”. In other words, hackers could use Facebook to gather all the information relating to users and their friends when they accessed to a suspicious website.

Moreover, the website approached the search queries on Facebook in a new tab and hence, when users liked a page, hackers would get the information. The same thing also happened when hackers used certain keywords to search any post given by the users which only their Facebook friends can see.

Even when users set the privacy settings to hide their own interests to everyone, but their friends, it doesn’t work with the bug. Advertisement companies may be the beneficiary in this scenario.

The good news is that the company rapidly fixed this bug as soon as it came to light a few days later.

The Facebook spokesperson claimed that the company sent a warning to browsers makers as well as web standards groups to prevent this bug from attacking other web applications.