This Facebook bug let websites see users’ likes and interests
It's the latest in a string of cybersecurity exploits surrounding Facebook.November 13, 2018
Facebook claims it’s fixed a bug that allowed websites to obtain information from a user’s profile, including their “likes” and interests, after security researcher Ron Masas zeroed in on the particular social media exploit, reports TechCrunch.
Read more: ‘Harry Potter’ fan tries to adopt Tom Felton
Masas, who works for cybersecurity company Imperva, found that search results on Facebook weren’t being properly safeguarded from a type of cyber-attack known as a cross-site request forgery (CSRF). Basically, a CSRF attack can utilize unauthorized commands to grab portions of user data from a logged-in Facebook profile.
And it allowed such info to “cross over domains,” explains the researcher. “Essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friend.” That’s right, just leaving Facebook logged-in on an open tab and visiting a certain website could trigger an attack.
And that malicious site could then mount Facebook searches that might return “yes” or “no” responses. For example, the exploit could see if a user liked a certain page. And it means the bug “exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” notes Masas. But this problem isn’t solely in Facebook’s court.
The bug is known exploit to hackers. But Masas said the type of data the social media giant harbors would be “attractive” to advertising concerns. For its part, Imperva quietly told Facebook about the bug in May. It was fixed a few days later.
“We appreciate this researcher’s report to our bug bounty program,” a spokesperson said in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
The finding of the exploit saw $8,000 paid out by Facebook in bug bounties. And this isn’t the first time the company’s run into cybersecurity issues: The Cambridge Analytica scandal earlier this year brought social media security to the fore.
What do you think of Facebook’s latest bug issue? Have you ever had a problem with security on the social media service? Sound off down in the comments section, below, and let us know what you think of the buggy Facebook news.