The security company Imperva He discovered a bug in May that allowed websites to have access in the data of Facebook users but also in the personal information of their friends.
The bug allowed websites to access users' preferences and interests via a query on Facebook's Graph search. Fortunately, the problem has already been fixed by the larger social network.
Imperva researcher Ron Masas discovered in May that Facebook allowed cross-site request forgery (CSRF) attacks. This means that another website could access Facebook user data by querying it code.
For a website to exploit the bug, it would have to use one iframe which displayed Facebook within its pages.
So if a user who was logged in to Facebook was visiting the malicious code page, the script would start collecting data by sending queries to the social network via Graph search: "Does the user have friends?" or "Does he have friends in Canada?"
You can see an example in the video below.
Investigator Ron Masas of Imperva also said the attack allowed access to users' data even if the information was only visible to friends.
A Facebook representative, however, told TechCrunch that there was no data loss. Let's say that Imperva won 8.000 dollars for two separate bugs announced on Facebook.
History comes to remind us that it does not exist Internet safety. From the moment your data is stored on the internet, it ceases to be yours and becomes shared with the first hacker who succeeds in breaking into the system.
______________
- VisBug from Google, new practical dev tool
- Facebook presents the Lasso application
- DTP Facebook Google Microsoftc Twitter: data portability project
- App in Facebook did you try last?
- Facebook sued for post traumatic stress disorder