Security experts discovered a new Facebook bug that allow malicious users to hijack sensitive user data from the social network. According to the proof-of-concept demonstrations the problem allows hackers to exploit a weakness in the service via browser requests. The issue was disclosed to Facebook whose security team is resolving the bug.
The Newly Announced Facebook Bug Allows Hackers to Hijack Private Data
A recently published announcement concerning Facebook security warned that a new vulnerability was identified in the social network. The cause of concern was found within the code of the web page — it contained specific HTML iframe elements that are used to track the users. They are an essential part of the site and also use calls functions across the web service. Upon further analysis the issue has been discovered. As a result of it a proof-of-concept attack scenario was uncovered:
- The Facebook search engine expects a GET request which is filled with the necessary values from the user’s search query. It was found to be not protected from cross-site request forgery.
- This will open a pop-up or a new tab instance which will interact with the Facebook search page.
- The malicious scripts can manipulate the requests in order to acquire any information that can be accessed through this function.
As a result of the search results the malicious operators can gain information about both the user and other contacts in their friend list. The security researchers note that mobile users are the most affected as open tabs and other elements can easily be ignored in the background. This allow hackers to simultaneously run multiple queries when the victim is doing other actions.
We remind our readers that Facebook is constantly being targeted by various hacking collectives and using creative methods. A recent example is theFacebook friend request forwarding scam which is still being used actively by criminal collectives worldwide. Due to the timely private bug disclosure to Facebook their security team has been working on resolving the issue and .