Facebook Patches Vulnerability That Could Have Exposed User Data

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

Google Plus

[sanf780]

Google decided to close Google Plus instead of patching a similar issue. It was not a leak because nobody knew it had been exploited, same as here.

Re:

[antdude]

So, Facebook will close too? [grin]

Yep. I catalogued 80 vulnerabilities today

[raymorris]

I work in the field too. Cataloged 80 new vulnerabilities today.

Re:

[Anonymous Coward]

Facebook is a bit different that most. You and I get paid to patch vulnerabilities. Facebook makes its money by being a data leaking vulnerability. To actually patch anything, Facebook would need to close up shop.

The only winning move

[WCMI92]

Is to not use Facebook.

Why is Chrome to blame?

[manu0601]

It was a CSRF at Facebook, but why blame Chrome? The browser seems to just do its job.

the patch was

[thePsychologist]

rm -rf / on all of Facebook's servers.

Truncated headline

[Ol Olsoc]

"Facebook Patches Vulnerability That could Have Exposed User Data To GroupsThat Did Not Pay Facebook for That Data

FTFT

Contrarian Wisdom

[JoePete]

In every middle school, you have the librarians-turned-media-specialists trying to teach kids cybersecurity by reviewing things like "privacy" settings on Facebook. It's time we start telling kids to ignore such rubbish and assume everything they post, email, text etc. will someday be public. Once we get that point across to kids and their parents, not only will we have a safer Internet but a more civil one.