Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users’ profiles without them knowing about it.
The bug was first discovered in May by Ron Masas, a security researcher at Imperva. Masas found that Facebook search results were not sufficiently protected from cross-site request forgery attacks, meaning bad actors could have used an iFrame to extract data from a logged-in Facebook profile in another tab.
“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” Masas told SiliconANGLE.
Masas said the bug allowed websites to see the user’s interests as well as their friends' interests, even if their privacy settings were set to allow only friends to see their interests.
One of many security issues
Facebook said it fixed the bug within days of being alerted to it. The company says it hasn’t seen the vulnerability be exploited for malicious purposes.
“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
The data vulnerability is among several others to have affected Facebook recently. It follows the Cambridge Analytica scandal, in which a political data firm improperly harvested information on 87 million users to use for election profiling.
More recently, Facebook admitted that millions of user account tokens had been stolen by hackers who breached its system.