Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Patches Vulnerability That Could Have Exposed User Data (theverge.com)

Posted by BeauHD on from the here-we-go-again dept.

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

19 comments

  1. Google Plus by sanf780 · · Score: 1

    Google decided to close Google Plus instead of patching a similar issue. It was not a leak because nobody knew it had been exploited, same as here.

    1. Re:Google Plus by antdude · · Score: 1

      So, Facebook will close too? [grin]

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. Facebook Patches Vulnerability... by Anonymous Coward · · Score: 0

    Well, I should hope so, right?

    Is this really a story? I probably patch dozens of vulnerabilities a day. That's what I get paid to do.

    1. Re:Facebook Patches Vulnerability... by Anonymous Coward · · Score: 2, Informative

      Facebook is a bit different that most. You and I get paid to patch vulnerabilities. Facebook makes its money by being a data leaking vulnerability. To actually patch anything, Facebook would need to close up shop.

  3. The only winning move by WCMI92 · · Score: 2

    Is to not use Facebook.

    --
    Corporatism != Free Market
    1. Re:The only winning move by Anonymous Coward · · Score: 0

      I did use facebook for a while. got tired of being useless, at some point and stopped. this was made easier by one of the facebook "updates" that reset all data access to public. it was probably the third time that it happened to me, i did have my mobile and contact info up there for friends and family. swore off the platform at that point. a lot of my friends did also.

      we're resorted to just texting our regular non-sense.

      i like winning. it feels like victory.

  4. Facebook by Anonymous Coward · · Score: 0

    is that still a thing?

  5. Yep. I catalogued 80 vulnerabilities today by raymorris · · Score: 1

    I work in the field too. Cataloged 80 new vulnerabilities today.

  6. Nazi faggot RAY MORRIS pushes debunked PROPAGANDA by Anonymous Coward · · Score: 0

    https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660 - KNOWN LYING FAGGOT RAY MORRIS PUSHING DEBUNKED NAZI PROPAGANDA AFTER CAUGHT, WHAT A LYING FAGGOT. GET A ROPE.

    Filter error: Don't use so many caps. It's like YELLING. Filter error: Don't use so many caps. It's like YELLING.

  7. You "probably" patch jack shit per ever by Anonymous Coward · · Score: 0

    Applying patches != patching the code. You're bragging about glorified monkey work, double clicking.

    Of course debunked nazi propagandist Ray Morris is happy to suck your banana.

  8. Why is Chrome to blame? by manu0601 · · Score: 1

    It was a CSRF at Facebook, but why blame Chrome? The browser seems to just do its job.

  9. IMPERSONATING me AGAIN? apk by Anonymous Coward · · Score: 0

    You're caught impersonating me c6gunner (your name's the submitter signing "APK") https://linux.slashdot.org/com... & you ALTERED /.ers PRAISE of my work (not yours you don't even HAVE).

    (Don't throw stones if you live in a glass house vs. me: RIGHT ZIP? https://yro.slashdot.org/comme... )

    *** IGNORANT LYING CHIMP "ZIP" SHOT DOWN FOR HIS LIES & TECH FUCKUPS vs. me https://games.slashdot.org/com...

    LIAR ZIP says he has no account "I don't have an account, so I don't have mod points" https://news.slashdot.org/comm...

    Yet LIAR ZIP says he downmods my posts (IMPOSSIBLE MINUS AN ACCOUNT on /.): "I down-modded a few of your post on other threads" - by Anonymous Coward "ZIP" on Thursday October 11, 2018 @11:31AM (#57461058) FROM https://yro.slashdot.org/comme...

    These PUSSY bullshit artists aren't bullies - they're worse - they're pussy ass PUNKS & talkers (all talk "ne'er-do-well" DO-NOTHINGS).

    APK

    P.S.=> Hosts can stop portsmash (blocking downloads of it) "You basically have to already be able to run your own evil code on a machine in order to PortSmash it." from https://www.theregister.co.uk/... not Spectre/Meltdown AFAIK (but it's POSSIBLE it might but NOT TOTALLY SURE here (vs. say, RPC using them which would be REMOTE vs. LOCAL as in portsmash above) per https://meltdownattack.com/mel... &/or https://spectreattack.com/spec... ACADEMIC RESEARCH into their mechanics ) - & U FAIL a PORTFILTERING TEST https://yro.slashdot.org/comme... ... apk

    1. Re:IMPERSONATING me AGAIN? apk by Anonymous Coward · · Score: 0

      APK = creimer

  10. the patch was by thePsychologist · · Score: 1

    rm -rf / on all of Facebook's servers.

    --
    "What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
  11. Truncated headline by Ol+Olsoc · · Score: 1
    "Facebook Patches Vulnerability That could Have Exposed User Data To GroupsThat Did Not Pay Facebook for That Data

    FTFT

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  12. Zach Patterson alias "ZIP" you LOSE stupid... apk by Anonymous Coward · · Score: 0

    See subject: A lying BLOWHARD bullshit artist that can't READ stupid CHIMP named Zach Patterson https://tech.slashdot.org/comm... who tried to "take credit" for something I did BEFORE him with proof of it RIGHT there & he says "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme... ) ?

    * FUNNY THAT JACKASS IS ALL TALK but not a DAMN THING to show for himself in code let alone what others LIKE/USE/PRAISE (even /.ers) in MY work (that 100k++ users do worldwide also).

    APK

    P.S.=> There's TOO MANY pitiful do-NOTHING "ne'er-do-wells" INFESTING this place that are like YOU, you disgusting UNIDENTIFIABLE anonymous punk IMPERSONATING me... apk

  13. The ultimate solution by Anonymous Coward · · Score: 0

    They moved Mark Zuckerberg's desk into a closet.

  14. Contrarian Wisdom by JoePete · · Score: 1

    In every middle school, you have the librarians-turned-media-specialists trying to teach kids cybersecurity by reviewing things like "privacy" settings on Facebook. It's time we start telling kids to ignore such rubbish and assume everything they post, email, text etc. will someday be public. Once we get that point across to kids and their parents, not only will we have a safer Internet but a more civil one.