A security researcher at Imperva recently identified a vulnerability within Facebook that could have allowed other websites to extract private information about users and their contacts.
Discovered by Imperva security researcher Ron Masas, the vulnerability reportedly preyed on the unique cross-origin behavior of iframes, which embeds another HTML page into the current page. By manipulating Facebook’s graph search, it was possible to craft search queries that reflected personal information about the user.
“A unique feature of the uncovered bug is the exploitation of the iframe element within Facebook’s search feature. This allowed information to cross over domains, essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company. Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.
Warning that the technique could increase in popularity throughout 2019, Masas added, "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iframes to leak the user's personal information. Interestingly, this technique leaves almost no trace unlike authentication bypasses.”
According to Imperva, the vulnerability was reported to Facebook under its responsible disclosure program in May 2018. Masas worked with the Facebook security team to mitigate regressions and ensure that the issue was thoroughly resolved.
In a statement shared with TechCrunch, Facebook spokesperson Margarita Zolotova wrote, “We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”