Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Patches Vulnerability That Could Have Exposed User Data (theverge.com)

Posted by BeauHD on from the here-we-go-again dept.

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

9 of 19 comments (clear)

  1. Google Plus by sanf780 · · Score: 1

    Google decided to close Google Plus instead of patching a similar issue. It was not a leak because nobody knew it had been exploited, same as here.

    1. Re:Google Plus by antdude · · Score: 1

      So, Facebook will close too? [grin]

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. The only winning move by WCMI92 · · Score: 2

    Is to not use Facebook.

    --
    Corporatism != Free Market
  3. Yep. I catalogued 80 vulnerabilities today by raymorris · · Score: 1

    I work in the field too. Cataloged 80 new vulnerabilities today.

  4. Why is Chrome to blame? by manu0601 · · Score: 1

    It was a CSRF at Facebook, but why blame Chrome? The browser seems to just do its job.

  5. Re:Facebook Patches Vulnerability... by Anonymous Coward · · Score: 2, Informative

    Facebook is a bit different that most. You and I get paid to patch vulnerabilities. Facebook makes its money by being a data leaking vulnerability. To actually patch anything, Facebook would need to close up shop.

  6. the patch was by thePsychologist · · Score: 1

    rm -rf / on all of Facebook's servers.

    --
    "What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
  7. Truncated headline by Ol+Olsoc · · Score: 1
    "Facebook Patches Vulnerability That could Have Exposed User Data To GroupsThat Did Not Pay Facebook for That Data

    FTFT

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  8. Contrarian Wisdom by JoePete · · Score: 1

    In every middle school, you have the librarians-turned-media-specialists trying to teach kids cybersecurity by reviewing things like "privacy" settings on Facebook. It's time we start telling kids to ignore such rubbish and assume everything they post, email, text etc. will someday be public. Once we get that point across to kids and their parents, not only will we have a safer Internet but a more civil one.