Facebook bug allowed hackers to access users’ personal information including Likes and interests

A researcher at cyber security firm Imperva discovered vulnerability in Facebook's search feature that could allow hackers gain access to sensitive user information such as interests, likes and even friends.

Researcher Ron Masas describes this vulnerability as cross-site request forgery (CSRF) which allows any malicious website to remotely collect information from a user's profile on Facebook.

The bug required users (logged in on Facebook) to visit a malicious website and click anywhere. This would trigger the bug and open a small pop-up or a new browser tab with Facebook's search page. Hackers could then remotely execute any search query.

A video demonstrating how the hack works shows a pop-up window where the attackers type in the questions. For example, the question for if the person likes running will come with a yes or no reply according to their information on Facebook.

This bug can be used to extract information from the user's friends as well. Masas explains how they could find out different kinds of information possible through this bug. Some of the examples given include finding out whether a user took photos at certain locations, has friends from any specific country, or they've written a post with a specific text.

He further points out this bug could have affected smartphone users more. "This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker's site," he explained.

Ankush Johar, Director at Infosec Ventures explained, "Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks. Moreover, it's not known that since how long this vulnerability has existed and has been exploited in the wild."

The bug was reported to Facebook and fixed as well earlier this May.

In a statement to The Verge, Facebook said, "We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

Facebook has been hit hard by a spate of major security breaches this year. Earlier this year, personal information of over 80 million Facebook users was accessed by a UK-based research consultancy Cambridge Analytica.

In October this year, Facebook said hackers had gained access to private messages of nearly 120 million Facebook accounts. Most of these details have already been published on the dark web.