Facebook’s New Dilemma, Silently Patched

Facebook has silently patched a vulnerability very recently that enabled 3rd party sites to extract user information without seeking the consent of individual users first. The aggregate data extraction includes user “likes”, and all its subcategories. It is unfortunate that 2018 is not a good year for Facebook, after that very damaging 30 million Facebook accounts hacked in the previous months, the aftershocks are still being felt by its users.

“For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or a new tab to the Facebook search page, forcing the user to execute any search query we want. Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property. By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,” explained Ron Masas, Imperva’s Security Researcher.

This type of data input manipulation is nothing new, also known as a cross-site request forgery attack. However, it goes to show how Facebook’s engineers, especially their webmasters have been lax with security. This is in the wake of Facebook dealing with the aftermath of the big time 30 million accounts getting breached a couple of months ago.

“This process can be repeated without the need for new popups or tabs to be open since the attacker can control the location property of the Facebook window. This is especially dangerous for mobile users since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” added Masas.

Facebook has fully recognized the bug in their system and has acknowledged the help of the community in keeping the site as secure as possible. “We appreciate this researcher’s report to our bug bounty program. We’ve fixed the issue in our search page and haven’t seen any abuse. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications,” explained a Facebook representative.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends. The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” concluded Masas.

With this episode, the security researchers are very hard at work to discover new vulnerabilities with the social media giant. Facebook may need to increase the rewards they provide in their bounty hunter program, as only 3rd parties can help the company discover vulnerabilities that cannot be detected by their developers alone.