A bug allowed a third-party website to access Facebook users’ data such as their interests and likes without their knowledge, according to a report. It cited the findings from a security researcher at Imperva Ron Masas, who alleged that Facebook search results were properly safeguarded against cross-site request forgery (CSRF) attacks. What it means is that a website opened on users’ web browser could secretly pull certain data off users’ Facebook profile logged-in in another tab. Masas showed that how a malicious website could use IFRAME to secretly collect users’ profile information. However, Facebook has reportedly fixed the issue.
The bug would allow the malicious website to open search queries in a new tab or run the queries that could lead to a simple “yes” or “no” response. For example, if a user likes a specific Facebook page. Search queries could further lead to more complex results like friends on users’ profile with a particular name, posts with certain keywords or filtering out users’ friend-circle based on a religion or a city. Masas warns that the ad companies would use this kind of data to their leverage. Furthermore, the report went on to reveal that Imperva privately disclosed the bug a few months ago and received $8,000 in two separate bug bounties after Facebook fixed the bug days later, credit goes to the addition of CSRF protections.
The year 2018, in particular, has turned out to be really bad for Facebook as we have seen numerous incidents of security lapses and data leaks taking place throughout all along, right from the Facebook-Cambridge Analytica data scandal to Facebook failing to protect its users’ privacy on several occasions.