THE SOCIAL NETWORK Facebook has suffered yet another privacy-sapping screw-up after a bug allowed other websites to suck up data from user's profiles.
Flagged by Imperva security researcher Ron Masas back in May, Facebook quickly and quietly squashed the bug but its details have only just surfaced.
If exploited, it could have allowed user data such as 'likes' and interests to be harvested; not exactly a major data deluge but an infringement on privacy nonetheless.
In researching a vulnerability in the Chrome browser, Masas noted an iFrame element in the HTML of Facebook's online search results, likely used for Facebook's internal tracking processes.
However, iFrames can be used to embed materials and as such are "exposed in part to cross-origin documents" unlike other web elements.
That element, along with the fact that Facebook's search page is effectively an endpoint that expects a GET request (a method of retrieve information from a server in response to a specific query) with search parameters in order to serve up results is not protected against cross-site request forgery, allowed Masas to come up with a data extracting hack.
"Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.
"By manipulating Facebook's graph search, it's possible to craft search queries that reflect personal information about the user.
"For example, by searching: "pages I like named `Imperva`" we force Facebook to return one result if the user liked the Imperva page or zero results if not."
From there, an attacker could basically infer a target and their Facebook friends' private data, such as finding posts with certain text or seeing if they have photos taken at a specific location. All dodgy stuff.
But Facebook told TechCrunch that it hasn't seen any abuse of the vulnerability. And given that Masas was on a vulnerability hunt, we suspect that such a bug isn't something that opportunistic hackers would stumble across.
Still, it's once again a story of Facebook slipping up when it comes to protraction user data hook-line-and-sinker; maybe it's time Mark Zuckerberg popped over to the UK to discuss such privacy issues. µ
Wants to stop the apathy surrounding security breaches
Come on Barbie, let's go party... with Siri
Penguin joins Club, takes biscuit
The social network knows what you did Summer 2007