Facebook flaw opened your profile to data thieves
The vulnerability made it possible for an attacker to see what you've liked, who your friends are and what they've liked. Facebook says the flaw's been fixed.
Facebook CEO Mark Zuckerberg
Your Facebook likes, posts and friends were exposed by a vulnerability the social network recently fixed.
The security flaw involved a cross-site request forgery, or CSRF, attack, which tricks pages into performing tasks they're not supposed to, combined with access to an account that a Facebook user had already logged in to. The vulnerability was tied to Facebook on Google's Chrome browser, which accounts for more than 60 percent of browsers used online. A Google spokeswoman said this flaw was addressed with an update in July.
Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May. The security company detailed the flaw in a blog post on Tuesday morning.
"We've fixed the issue in our search page and haven't seen any abuse," a Facebook spokesperson said in a statement.
For an attack to have worked, a hacker would've had to trick a person logged in to Facebook into opening up a malicious website. Once the person clicked anywhere on that site, the vulnerability would use iFrames -- code used to embed content, such as YouTube videos, on pages -- to open a new tab showing Facebook's search page.
From there, the attacker could've created searches to look for personal information, viewing your list of friends, for example, what pages you've liked, and what pages your friends have liked.
Ron Masas, a security researcher at Imperva, noted that an attacker could've crafted the searches to be more specific, checking on the person's friends based on location, name, religion or any combination of such attributes.
In Imperva's tests, Masas was also able to search for posts that contained specific text from the user who clicked on the malicious web page, or from any friends of that user. Even if your privacy settings were changed so that only your friends could view your likes, the vulnerability would've allowed an attacker to see, he added.
You can watch how the attack would work here:
Data like this can be extremely valuable to outside firms, as Facebook's Cambridge Analytica scandal demonstrated back in March.
The now-defunct data analysis firm from the UK got hold of information including likes and friends' interests from 87 million accounts on Facebook, without users' permission. It then used the data to build user profiles that could be used to target political advertising.
In September, Facebook said hackers had stolen personal information on 29 million people using vulnerabilities tied to its View As feature. Facebook declined to comment on who was behind the hack, saying it was still under FBI investigation, but The Wall Street Journal reported that it was likely spammers posing as a digital marketing company.
"Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company," Masas said.
First published Nov. 13, 8:11 a.m. PT.
Updates, 8:54 a.m.: Adds comments from Facebook; 10:03 a.m.: Includes response from Google.