The security company Imperva has released new details on a Facebook vulnerability that could have exposed user data. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser. The bug was disclosed to Facebook and resolved in May.
In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information.
https://thehackernews.com/2018/11/facebook-vulnerability-hack.html
Hi Haitao
It is important to to know this information. Facebook should pay more attention to the incident. cross-site request forgery can be used by attackers to steal information or even money. It is important for Facebook to have control methods in place to prevent the incident from happening again.
Hi Haitao,
Facebook is a company need to pay strong attention to information security. Vulnerability inside their system should be found and evaluated more accurate, and incidents should be handled in a timely manner. Facebook should put much more efforts in this field to alleviate public concerns and rebuild trust.
It is interesting to know that Facebook’s search feature could be exploited to extract sensitive information related to your Facebook account, such as checking:
If you have a friend with a specific name or a keyword in his/her name
If you like a particular page or are a member of a specific group
If you have a friend who likes a particular page
If you have taken photos in a certain location or country
If you have ever posted a photo taken at certain places/countries
If you have ever posted an update on your timeline containing a specific text/keyword
If you have Islamic friends