Facebook flaw opened your profile to data thieves

The vulnerability made it possible for an attacker to see what you've liked, who your friends are and what they've liked. Facebook says the flaw's been fixed.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Facebook CEO Mark Zuckerberg

James Martin/CNET

Your Facebook likes, posts and friends were exposed by a vulnerability the social network recently fixed.

The security flaw involved a cross-site request forgery, or CSRF, attack, which tricks pages into performing tasks they're not supposed to, combined with access to an account that a Facebook user had already logged in to. The vulnerability was tied to Facebook on Google's Chrome browser, which accounts for more than 60 percent of browsers used online. A Google spokeswoman said this flaw was addressed with an update in July

Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May. The security company detailed the flaw in a blog post on Tuesday morning. 

"We've fixed the issue in our search page and haven't seen any abuse," a Facebook spokesperson said in a statement.

For an attack to have worked, a hacker would've had to trick a person logged in to Facebook into opening up a malicious website. Once the person clicked anywhere on that site, the vulnerability would use iFrames -- code used to embed content, such as YouTube videos, on pages -- to open a new tab showing Facebook's search page.

From there, the attacker could've created searches to look for personal information, viewing your list of friends, for example, what pages you've liked, and what pages your friends have liked.

Ron Masas, a security researcher at Imperva, noted that an attacker could've crafted the searches to be more specific, checking on the person's friends based on location, name, religion or any combination of such attributes.

In Imperva's tests, Masas was also able to search for posts that contained specific text from the user who clicked on the malicious web page, or from any friends of that user. Even if your privacy settings were changed so that only your friends could view your likes, the vulnerability would've allowed an attacker to see, he added.

You can watch how the attack would work here:

Data like this can be extremely valuable to outside firms, as Facebook's Cambridge Analytica scandal demonstrated back in March.

The now-defunct data analysis firm from the UK got hold of information including likes and friends' interests from 87 million accounts on Facebook, without users' permission. It then used the data to build user profiles that could be used to target political advertising.

In September, Facebook said hackers had stolen personal information on 29 million people using vulnerabilities tied to its View As feature. Facebook declined to comment on who was behind the hack, saying it was still under FBI investigation, but The Wall Street Journal reported that it was likely spammers posing as a digital marketing company.

"Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company," Masas said. 

First published Nov. 13, 8:11 a.m. PT.
Updates, 8:54 a.m.:
Adds comments from Facebook; 10:03 a.m.: Includes response from Google.