The security company Imperva He discovered a bug in May that allowed websites to access Facebook users 'data and their friends' personal information.
The bug allowed websites to access users' preferences and interests via a query on Facebook's Graph search. Fortunately, the problem has already been fixed by the larger social network.
Imperva researcher Ron Masas discovered in May that Facebook allowed cross-site request forgery (CSRF) attacks. That means someone else website could access Facebook user data via queries in the code.
In order to take advantage of the error of a website, we would have to use an iframe that displayed facebook within its pages.
So if someone user who was connected to Facebook visited the page with the malicious code, the script began collecting data by sending queries to the social network through Graph search: "Does the user have friends?" or "Does he have friends in Canada?"
You can see an example in the video below.
Investigator Ron Masas of Imperva also said the attack allowed access to users' data even if the information was only visible to friends.
A Facebook representative, however, told TechCrunch that there was no data loss. Let's say that Imperva won 8.000 dollars for two separate bugs announced on Facebook.
History comes to remind us that it does not exist better safety on Internet. From the moment your data is stored on the internet, it ceases to be yours and becomes shared with the first hacker who succeeds in breaking into the system.
______________
- VisBug from Google, new practical dev tool
- Facebook presents the Lasso application
- DTP Facebook Google Microsoftc Twitter: data portability project
- App in Facebook did you try last?
- Facebook sued for post traumatic stress disorder