Facebook vulnerability could have let websites obtain users' interests

Facebook vulnerability could have let websites obtain users' interests

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users' profiles without them knowing about it.

He realized that just by looking for an iframe inside the search results page, he could just easily determine if a search query has returned a positive or negative result.

Facebook fixed the issue in May and there's no indication that the flaw was successfully exploited by hackers.

Masas told ZDNet that an attacker could use a technique called "tab under" to force the opening of the Facebook Search page inside a background tab, which keeps the user's focus on the main malicious page -which could be disguised as an online game, movie streaming portal, or news article.

Ankush Johar, Director at Infosec Ventures explained, "Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks".

Facebook is not the only company which has faced this type of issue and it seems no one took advantage of this particular vulnerability. Notably, because these searches would appear to be conducted by the user, whose login and browser had been authenticated by Facebook, search results wouldn't be affected by the user's privacy settings.

Читайте также: Wayne Rooney to captain England in farewell friendly match against the USA

This is the latest revelation in Facebook's bug-filled year. This could also be used to search for a user's post with certain keywords among other complex tasks, all of which are usually visible to only those who are in the friend list of the user. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser.

A video demonstrating how the hack works shows a pop-up window where the attackers type in the questions.

These search queries, even if they didn't expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.

"We appreciate this researcher's report to our bug bounty program".

The company awarded Imperva $8,000 in two separate bug bounty rewards.

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2019 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог

Related News:

Most liked

Oil demand is under increasing threat from electric cars and cleaner fuels
Electricity will account for a quarter of energy used by end users such as consumers and industry by 2040, it said. He added: "To be successful, this will need an unprecedented global political and economic effort".

Premier League clubs vote in favour of using VAR next season
Referee Matt Conger from New Zealand uses VAR at the World Cup during the match between Nigeria and Iceland. Video review is set to debut in the English Premier League next season.

The trailer for the new Dumbo film is... disturbing
As the trailer hints, Dreamland isn't all that dreamy - and Vandevere isn't as charming as he'd like everyone to believe. Burton is known for putting in a dark twist to movies that people presume he has made for a younger audience.

Congrats! Cristiano Ronaldo reportedly proposes to long-time girlfriend
Willian then went on to say, "He is one of the best players in the world at the moment". Djokovic will next face Alexander Zverev on Wednesday.

Silva pushes Sri Lanka to lead over England in 2nd test
Leach took three wickets on a mixed day for England's spinners and says the tourists are confident they can win the Test. According to worldwide cricket rules an umpire can dock five runs if he feels the batsman ran a short run deliberately.

Xiaomi opens Android Pie Beta program for Mi A2 Lite
However, the MIUI 10 Global stable update for the Redmi Note 4 is still based on Android Nougat and some features are missing. Xiaomi's latest launch, the Redmi Note 6 Pro , is also getting MIUI 10 stable update in countries where it was launched.

'Jack Reacher' TV Series in the Works, Without Tom Cruise
The author continued: "So what I've made a decision to do is - there won't be any more movies with Tom Cruise ". With that in mind, he will not be recruited for a reboot of the series that will come in television series form.

Hazard pays tribute to the player behind his Chelsea move
The midfielder made his name at West Ham and joined Chelsea in 2003, where he spent seven trophy-laden years at Stamford Bridge. In his Instagram post, Cole thanked the countless people who had helped him through the football path. 'He was right.

World Business Report, Menthol cigarettes could be banned
The proposal is part of the FDA's renewed crackdown on nicotine products, including e-cigarettes, the New York Times reported. The proportion is about 20 percent for Altria Group Inc ., which sells Marlboro in that market, according to the firm.

Odell Beckham catches 2 touchdowns as Giants outlast 49ers
METAIRIE, La. (AP) - Saints coach Sean Payton said the Saints have signed veteran receiver Brandon Marshall. Nothing that transpired changes much of anything for the Giants as their sad season moves on.

Black Friday Week PS4 discounts announced
Select DualShock 4 wireless controllers available for $39.99 USD (MSRP) / $49.99 CAN (MSRP) at participating retailers . Sony's video game service will be on sale with discounts on the 12-month subscription.

Saudi Arabia seeks death penalty for five over Jamal Khashoggi death
Others have argued it's hard to believe the killing would have taken place without Crown Prince Mohammed bin Salman's knowledge. The prosecutor told reporters in Riyadh that investigations were still ongoing to locate the remains of the slain journalist.

LeBron James surpasses Wilt in NBA's all-time scoring list
As we have seen in the first few games with the Lakers , Walton has elected to go with Chandler at the five to close out games. A three-game suspension pressed Ball into the starting lineup, where he's remained for the past 12 games.

The new John Lewis Christmas advert featuring Elton John
This year department store rival Debenhams was criticised for releasing a Christmas advert similar to John Lewis's 2017 offering. And it looks like fans were bang on, as the advert follows how one gift inspired a little boy's entire life.

Marko Arnautovic could leave West Ham for Champions League football
Spurs have become Champions League regulars in recent years and they should plot a move for West Ham's 6ft 3in attacking enforcer. Highlights from West Ham's win over Burnley in the Premier League. "It's clear that I want to compete with the best players".