Another security vulnerability has been discovered on Facebook that could have allowed attackers to obtain certain personal information about users and their friends, which could put the privacy of the world's most popular social network users at risk.
Discovered by cybersecurity researchers from Imperva, the vulnerability lies in the way Facebook's search feature displays the results of queries made.
According to Imperva researcher Ron Masas, the page displaying the search results includes iFrame elements associated with each result, donde las URL de punto final de esos iFrames no tenían ningún mecanismo de protección para defenderse de los ataques de falsificación de solicitudes entre sitios (CSRF). Cabe señalar que la vulnerabilidad recién informada ya ha sido parcheada y, a diferencia de las anteriores que revelaron una falla que exponía información personal de 30 million users, no permitía a los atacantes extraer información de cuentas masivas a la vez.
“Para que este ataque funcione, debemos engañar a un usuario de Facebook para que abra nuestro sitio malicioso y haga clic en cualquier lugar del sitio (puede ser cualquier sitio en el que podamos ejecutar JavaScript), lo que nos permite abrir una ventana emergente o una nueva pestaña en Facebook. “Página de búsqueda, which forces the user to execute any search query we want”, explained Masas in a blog post published today.
Imperva responsibly reported the flaw to Facebook through the company's vulnerability disclosure program in May 2018, and the social media giant fixed the issue days later by adding CSRF protections.
Almost three months ago, Masas also reported an impressive web browser vulnerability that exposes everything other web platforms, like Facebook and Google, know about you. He also conducted a test to demonstrate the vulnerability.