Application security, Network Security, Patch/Configuration Management, Vulnerability Management

Facebook reportedly fixes search bug that could have threatened user privacy

Facebook earlier this year reportedly patched a vulnerability in its search page that could have allowed enterprising attackers to perform reconnaissance on certain users.

In a company blog post today, Imperva security researcher Ron Masas wrote that Facebook fixed the issue shortly after he discovered the flaw back in May.

Masas reportedly noticed that Facebook's search page had a dangerous combination of conditions: the search endpoint was not cross-site request forgery (CSRF) protected and the HTML found within Facebook's online search results contained iframe elements that exhibit cross-origin behavior.

Prior to the fix, attackers could have taken advantage of these conditions by tricking users into opening a malicious website and clicking anywhere upon it in order to secretly open a pop-up or tab containing the Facebook search page.

At this point the attackers could have forced the victimized users to perform Facebook search queries revealing certain related details about themselves.

Such details apparently would have been limited to numerical data, such as how many Facebook friends they have from a specific country. The attackers would have been able to know the exact amount based on the number of iframe elements on the page, because one iframe equals one search result.

It also would have been possible for the attackers to query a specific name and confirm that the user was friends with that person, or query a specific web page and confirm that the user liked that page. In such instances, the presence of a single iframe element would indicate a positive hit -- in other words, a "yes" -- while zero iframe elements would be tantamount to a "no."

"We appreciate this researcher's report to our bug bounty program," a Facebook spokesperson told SC Media. "We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

Data exposed by over 30K Postman Workspace instances

Hackread reports that more than 30,000 internet-exposed instances of widely used cloud-based API development and testing platform Postman Workspace had API keys, tokens, and admin credentials exposed as a result of access control misconfiguration, accidental Postman collection sharing, public repository syncing, and unencrypted storage of plaintext data.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

ACK PiggybackingAddress Resolution Protocol (ARP)BannerBrowserCookieCrossover CableCut-ThroughDecapsulationDemilitarized Zone (DMZ)Domain Name

You can skip this ad in 5 seconds