Vulnerability in Facebook could have exposed personal user data
15 November, 2018, 21:01 | Author: Sammy Rose
Instead, Imperva security researcher Masas says in the announcement, "Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved".
"A unique feature of the uncovered bug is the exploitation of the Iframe element within Facebook's search feature", Masas toldSiliconANGLE Tuesday. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.
Ankush Johar, Director at Infosec Ventures explained, "Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks". For example, the exploit could see if a user liked a certain page.
Attackers could have run queries with certain graph searches, such as to find out whether you liked a page, if you took photos at a certain location or if you or your friends used specific keywords in your posts.
Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year.
Masas added that the vulnerability was especially unsafe for mobile phone users, who may not even notice a new browser tab opening when the attack takes place.
These search queries, even if they didn't expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.
Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May. "As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications".
News of the bug comes amid increased scrutiny for Facebook following a string of data privacy scandals.
However, the retailer says that figure is "wildly inaccurate" and that spend on the ad is broadly similar to previous years. The ad will first air on TV this evening at 9.15pm on ITV during Dark Heart.
Also, it has been five years since the last PlayStation came out, so it's probably time that we get to see the next iteration. Sony also plans to roll out its usual PlayStation Store Black Friday game sale beginning November 16.
Four employees in Hodeida port who requested anonymity told AFP that a rebel commander had been killed in the attack on Monday. Hodeida Port is under a near-total blockade by Saudi Arabia and its allies, who accuse Iran of smuggling arms to the Houthis.
A spokesperson from John Lewis told Express.co.uk: "So this Christmas, we will be selling pianos, so you can buy the gift". John Lewis is understood to usually spend around £7m on its Christmas campaign , including creative and media.
By the time Raj was dismissed India was already well on their way to victory with only eight runs needed from 14 balls. BOWLING: A Reddy 4-1-24-1, RP Yadav 4-0-26-0, DB Sharma 4-0-26-0, D Hemalatha 4-0-34-2, Poonam Yadav 4-0-22-2.
Authorities in OH say four family members arrested in the 2016 shootings of eight people carefully planned the killing for months. Pike County Sheriff Charles Reader said in an earlier press conference that the investigation is the largest ever in the county.
The Burlington County Prosecutor's office is expected to make an announcement in the case Thursday, according to multiple reports. The couple turned themselves in to authorities on Wednesday, but Bobbitt was still at large, the news station said.
The journalist went into self-imposed exile in the United States in 2017 after falling out with Prince Mohammed. He added that Jamal Khashoggi's body was dismembered and then transferred outside the Saudi consulate building.
Giants beat 49ers 27-23
The pass completed a nine-play, 75-yard drive, after Manning took over on his own 25-yard line with 2:46 to play, trailing 23-20. Those sacks have amounted to 231 lost yards, nearly half as many as running back Saquon Barkley's total rushing yards (519).
English FA to cut foreign players in Premier League
Premier League clubs are expected to vote against proposals to limit the number of foreigners in their squads ahead of Brexit . Only seven clubs in England's top flight would meet those requirements if they were in place this season.