Vulnerability in Facebook could have exposed personal user data

15 November, 2018, 21:01 | Author: Sammy Rose
  • В Facebook выявили новую утечку данных пользователей

Instead, Imperva security researcher Masas says in the announcement, "Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved".

"A unique feature of the uncovered bug is the exploitation of the Iframe element within Facebook's search feature", Masas told SiliconANGLE Tuesday. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.

Ankush Johar, Director at Infosec Ventures explained, "Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks". For example, the exploit could see if a user liked a certain page.

Attackers could have run queries with certain graph searches, such as to find out whether you liked a page, if you took photos at a certain location or if you or your friends used specific keywords in your posts.

Masas warned that though a CSRF attack is not a common technique, it could rise in popularity next year.

Google Internet Traffic Routed Through China, Russia, Nigeria During Brief Outage 11/14/2018
Main One peers with Google, in that they agree to exchange traffic with each other through a peering point. The disruption in Google services was limited to almost an hour.


Germany’s Merkel calls for creation of European army
The European commission has said it is working towards military cooperation which might resemble an "EU army" in a number of years.


Rooney to wear 10 shirt, captain's armband in England farewell
While Thursday's match will bring the curtain down on Rooney's England career, Southgate will hand out a "few debuts" to others. Rooney made a romantic return to boyhood club Everton last season, scoring 10 league goals.


While testing out the attack, Masas was able to determine specific data on users and their friends regardless of one's privacy settings. If the user interacts with this page in any possible manner such as scrolling or clicking, the page will automatically execute malicious JavaScript code that will automate the search queries in a new tab.

Masas added that the vulnerability was especially unsafe for mobile phone users, who may not even notice a new browser tab opening when the attack takes place.

These search queries, even if they didn't expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.

Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May. "As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications".

News of the bug comes amid increased scrutiny for Facebook following a string of data privacy scandals.

Recommended:



Popular

Study finds decreased social media use improves mood and wellbeing
But the restrictions had no impact on feelings of social support, self-esteem or one's overall sense of well-being. Seventy-eight percent of them use Snapchat, 71 percent use Instagram and 45 percent use Twitter, Pew says.

Giants beat 49ers 27-23
The pass completed a nine-play, 75-yard drive, after Manning took over on his own 25-yard line with 2:46 to play, trailing 23-20. Those sacks have amounted to 231 lost yards, nearly half as many as running back Saquon Barkley's total rushing yards (519).

Pakistan confirms it discussed Asia Bibi's case with Canada
A survey in 2013 that more than 10 million Pakistanis had said they would be willing to personally killed Ms Bibi . The police intervened to save Asia from a mob, then began their investigation into her alleged blasphemy.

LeBron James 'Almost Cracked' After Lakers' Poor Start, Admits It Was Needed
He had 26 points and his season high of 12 rebounds in a 128-119 loss at Portland in the season opener on October 18. Afterward, James praised Chamberlain as "One of the most dominant forces we ever had in our game, along with Shaq.

Pence says US committed to Indo-Pacific, not seeking control
Also in his meeting with Modi, the US vice president urged more help on relations with North Korea. The defence sector was another area of cooperation between the two sides.

English FA to cut foreign players in Premier League
Premier League clubs are expected to vote against proposals to limit the number of foreigners in their squads ahead of Brexit . Only seven clubs in England's top flight would meet those requirements if they were in place this season.

Why does Pakistan want Kashmir? They can't manage four provinces: Shahid Afridi
Back in April, the cricketer had tweeted on the worrisome situation at the "Indian Occupied Kashmir". Innocents being shot down by oppressive regime to clamp voice of self determination & independence.

Energy agency: Global oil supply jumps, sending prices lower
Since October, the oil price has fallen to below $70 a barrel, its lowest in eight months. " It's like a run on the bank ". Oil demand is slowing as the world economy decelerates - OPEC nudged down its 2019 growth forecast in the report.

Irish outcry over teenager's underwear used in rape trial
According to Ms Coppinger, this is not the first time underwear has been used as evidence within a rape trial in Ireland. A barrister in the Cork trial told the jury to look at the way the complainant was dressed.

Avenatti Arrested For Suspected Felony Domestic Abuse; Social Media Erupts
The Los Angeles Police Department tweeted that the star attorney was booked in the afternoon and his bail was set at $50,000. An LAPD public information officer confirmed to Fox News that an individual had been arrested on domestic violence charges.