New Facebook bug could let websites access users’ likes and interests

• The bug could also allow websites to exfiltrate users’ personal information, such as phone numbers.
• The bug could allow other websites to extract personal information and contact number of users

A new bug discovered on Facebook could allow other websites to extract users’ personal information, such as contact numbers. Apart from gathering private data, the bug could also expose a user’s likes and interests.

Ron Masas, a security researchers at Imperva reportedly explored the bug in May and confirmed that Facebook was exposed to a cross-site request forgery (CSRF). The bug resided in the search system of Facebook.

"I browsed Facebook's online search results, and in their HTML noticed that each result contained an iframe element -- probably used for Facebook's own internal tracking," Masas said in a report.

By looking for an iframe inside the search result page, the researcher determined the answer to the query. Using basic ‘Yes’ and ‘No’ questions, Masas gathered a lot of information about a user, such as whether the photo was taken at a certain geographical location.

Masas said that the bug could also have allowed cybercriminals to determine whether a user has friends belonging to other religions, if the user has friends with a particular name, much more. What is more, the bug is also capable of exposing the identity of a user’s friends group.

Masas found the bug while researching a Chrome vulnerability that allowed hackers to steal Facebook users’ private information.

“Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iframes to leak the user's personal information. Interestingly, this technique leaves almost no trace, unlike authentication bypasses,” Masas said.

Facebook was informed about the vulnerability soon after its disclosure, following which, it fixed the issue.

“We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications,” a Facebook spokesperson told TechCrunch.