Facebook has fixed a bug that gave websites access to information from a user’s profile without their knowledge.
Ron Masas, a security researcher at Imperva, discovered that the social media site’s search results weren’t protecting users from cross-site request forgery (CSRF) attacks, which would allow fraudulent websites to secretly collect profile information.
“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” explained Masas.
Not only could a malicious website open several Facebook search queries in a new tab that would return “yes” or “no” responses, but it could also gather more complex results, including returning all a user’s friends with a particular name, a user’s posts with certain keywords and even personal demographics.
“The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” said Masas.
But Facebook told TechCrunch that the company hasn’t seen any abuse: “We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
This is the latest breach for Facebook. Last year, it was revealed that 87 million of its users may have had their data shared with controversial research firm Cambridge Analytica. At the same time, 126 million Americans —accounting for a third of the nation’s population — were exposed to content placed on Facebook by Russian sources during the 2016 elections. Then, in September, the company admitted that roughly 50 million of its users had their data exposed through an attack on its network.
“Facebook is in the bottom in terms of trust in housing your personal data,” said Harris Poll CEO John Gerzema. “Facebook’s crises continue rolling in the news cycle.”