Facebook Fixes Bug That Collected User Profile Data

Facebook has fixed a bug that gave websites access to information from a user’s profile without their knowledge.

Ron Masas, a security researcher at Imperva, discovered that the social media site’s search results weren’t protecting users from cross-site request forgery (CSRF) attacks, which would allow fraudulent websites to secretly collect profile information.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” explained Masas.

Not only could a malicious website open several Facebook search queries in a new tab that would return “yes” or “no” responses, but it could also gather more complex results, including returning all a user’s friends with a particular name, a user’s posts with certain keywords and even personal demographics.

“The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” said Masas.

But Facebook told TechCrunch that the company hasn’t seen any abuse: “We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

This is the latest breach for Facebook. Last year, it was revealed that 87 million of its users may have had their data shared with controversial research firm Cambridge Analytica. At the same time, 126 million Americans —accounting for a third of the nation’s population — were exposed to content placed on Facebook by Russian sources during the 2016 elections. Then, in September, the company admitted that roughly 50 million of its users had their data exposed through an attack on its network.

As a result, a recent poll showed that Americans believe Facebook to be the least trustworthy of all the major technology companies as far as protecting user data.

“Facebook is in the bottom in terms of trust in housing your personal data,” said Harris Poll CEO John Gerzema. “Facebook’s crises continue rolling in the news cycle.”



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.