The company security Imperva He discovered a bug in May that allowed websites to access Facebook users 'data and their friends' personal information.
The bug allowed websites to access users' preferences and interests via a query on Facebook's Graph search. Fortunately, the problem has already been fixed by the larger social network.
Imperva researcher Ron Masas discovered in May that Facebook allowed cross-site attacks request forgery (CSRF). This means that another website could access Facebook user data through queries in the code.
In order to take advantage of the error of a website, we would have to use an iframe that displayed facebook within its pages.
So if a user logged into Facebook visited the page with the malicious code, the script began collecting data by sending queries to the social network via Graph search: “Does the user have friends?” or "Does he have friends in Canada?"
You can see an example in the video below.
Investigator Ron Masas of Imperva also said the attack allowed access to users' data even if the information was only visible to friends.
A Facebook representative, however, told TechCrunch that there was no data loss. Let's say that Imperva won 8.000 dollars for two separate bugs announced on Facebook.
History comes to remind us that there is no safety on the internet. From the moment your data is stored on the internet, it stops being yours and becomes shared with the first hacker that will succeed in breaking the system.
______________
- VisBug from Google, new practical dev tool
- Facebook presents the Lasso application
- DTP Facebook Google Microsoftc Twitter: data portability project
- App in Facebook did you try last?
- Facebook sued for post traumatic stress disorder