Facebook engineers have plugged another bug in the social network's underlying codebase that could have allowed a malicious threat actor to stealthily collect highly personal information about Facebook users.
In an email exchange with ZDNet, Imperva's Ron Masas, the security researcher who discovered the issue, says the bug resided in Facebook's Search system.
"I browsed Facebook's online search results, and in their HTML noticed that each result contained an iframe element -- probably used for Facebook's own internal tracking," Masas said.
The researcher says that upon seeing this, he realized that by looking for an iframe inside the search results page he could determine if a search query has returned a positive or negative result.
Using basic yes and no questions, Masas says he could infer if users have liked a particular page, if they've taken photos at certain geographical locations, if they had friends of a certain religion in their friends list, if they've shared posts with a specific text, if a user has friends with a particular name, if the user has friends living in a specific city or country, and many other highly sensitive details.
These search queries, even if they didn't expose fine-grained details, they did expose second-hand information that could reveal, when pieced together, the identity of a user and his friends circle.
But access to some of this highly-personal information is only available to the user alone. An attacker wouldn't be able to run these search queries via the public Facebook Search feature.
Masas told ZDNet that an attacker could use a technique called "tab under" to force the opening of the Facebook Search page inside a background tab, which keeps the user's focus on the main malicious page --which could be disguised as an online game, movie streaming portal, or news article.
Since the tab under technique is regularly used nowadays for pushing intrusive online ads, most users wouldn't even pay attention to the new tab being opened in their browser's background, considering just another ad.
While the user is interacting with the malicious page, Masas' script would automate a series of Facebook searches via the Facebook Graph API, count the number of iframes the search results returned via the "fb.frames.length" property, and log the results. The researcher shared a video of the attack --while it was still possible.
The attack would surely not work if users have two-three tabs opened in their desktop browser and they see a new Facebook tab being opened, but since most users tend to keep a large number of tabs in the tab bar, there's a high chance most users won't even see the attack going on --especially if they're focused on the attacker's malicious page, which should be easy if the page delivers a game, news article, or video.
Further, the attack is also very likely to be even more efficient on mobile devices, where tabs aren't visible on screen, but only as a tab counter, which is often ignored.
Masas told ZDNet that his attack worked against all browsers and was not limited to Chrome, like a previous Facebook bug he found in August.
Furthermore, the attack also doesn't need to open individual tabs for each search query, allowing the attacker to reload the existing tab with a new search URL at short intervals.
In a blog post today, Masas says he reported the bug to Facebook in May this year, and the platform has rolled out fixes shortly after.
"We appreciate this researcher's report to our bug bounty program," said a Facebook spokesperson today in a statement. "We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."
The researcher's findings shows that despite its expansive bug bounty program, Facebook will always have a hard time securing its huge platform, and will always remain open to mass-harvesting operations, such as the Cambridge Analytica scandal or the recent security breach caused by another platform feature --the View As button. This is because the inherent nature of security bugs, which are easier to discover, compared to the difficulty of writing an bug-free platform.
Article updated with Facebook statement.
Related cyber-security coverage:
- How Magecart groups are stealing your card details from online stores
- Android news and kids apps contain the most third-party trackers
- Google traffic hijacked via tiny Nigerian ISP
- Zero-day in popular WordPress plugin exploited in the wild to take over sites
- 17 ways to recycle or sell your smartphone TechRepublic
- Ahead of US midterms, Facebook removes 30 accounts and 85 Instagram profiles
- Google workers walk out over handling of sexual harassment cases CNET
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7