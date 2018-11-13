James Martin / CNET

Your Facebook "Likes," posts and friends were exposed from a vulnerability that the social network recently fixed.

The vulnerability uses cross-site request forgery (CSRF) attacks, which tricks pages into performing tasks they're not supposed to, combined with access to an account already logged in. The security flaw is tied to Facebook on Google's Chrome browser, which accounts for more than 60 percent of browsers used online. Google did not immediately respond to a request for comment.

Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May.

"We've fixed the issue in our search page and haven't seen any abuse," a Facebook spokesperson said in a statement.

For the attack to work, a potential hacker would have to trick a person logged into Facebook into opening up a malicious website, which Imperva's researchers set up during their analysis.

Once a person clicks anywhere on the website, the vulnerability would use iFrames -- code used to embed content on pages like YouTube videos -- to open a new tab with Facebook's search page.

From there, the attacker could have created searches to look for personal information -- to view your friends, what pages you've liked, and what pages your friends liked.

Ron Masas, a security researcher at Imperva, noted that you could craft the searches to be more specific, like if you wanted to check on the person's friends based on location, name, religion, or any combination.

Masas was also able to search for posts that contained specific texts from the user who clicked or any friends of that user. Even if your privacy settings were changed so that only your friends could view your Likes, this vulnerability would bypass it, he added.

"This allowed information to cross over domains -- essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends," he said in a statement.

You can watch how the attack would work here:

Data like this is extremely valuable to outside firms, as Cambridge Analytica demonstrated in Facebook's abuse scandal from March.

The now-defunct data analyst firm from the UK siphoned information including Likes and friends' interests from 87 million accounts on Facebook, without users' permission. The company then used that to build profiles of users they could target for political advertising.

Then in September, Facebook noted that hackers had stolen personal information on 29 million people using vulnerabilities tied to its "View As" feature. Facebook declined to comment on who was behind the hack as it was still under FBI investigation, but the Wall Street Journal reported that it was likely spammers posing as a digital marketing company.

"Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company," Masas said.

Originally published at 8:11 a.m. PT.

Updated at 8:54 a.m. PT: To include comments from Facebook.