Facebook recently addressed a vulnerability that could have allowed anyone to access private information about users and their contacts.
The vulnerability, Imperva security researcher Ron Masas explains, was found in Facebook’s online search function. He discovered that the HTML code for every search result contained an iframe element that could be exploited maliciously.
The issue is that the endpoint that expects a GET request with a number of search parameters is now cross-site request forgery (CSRF) protected. This allow users to share the search results page via a URL, but most users won’t take action, which makes it a non-issue.
When it comes to the Facebook online search, however, the problem is that the CSRF bug can be combined with the fact that iframes are exposed in part to cross-origin documents.
The user interaction triggers a popup or a new tab to the Facebook search page, and the attacker forces the user to execute any search query they want.
“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property. By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,” Masas explains.
The security researcher, who published a proof-of-concept video, notes that he was able to extract a variety of private user data by exploiting the issue.
Such information included details on whether the user had friends from Israel or friends named “Ron,” whether the user had taken photos in certain locations/countries, if they had Islamic friends or Islamic friends living in the UK, and even if the user or their friends wrote a post containing a specific text.
The process, the researcher explains, can be repeated without the need for a new popup or tab, as the attacker has control over the location property of the Facebook window through running a specific snippet of code.
“This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” the security researcher says.
The attacker doesn’t even need a Facebook account to extract said information, Imperva told SecurityWeek in an email. The security firm also said that Facebook, who was alerted on the bug in May, issued two bounties (mobile and desktop), for the total amount of $8,000.
Source: infosec island