Especialistas em segurança descobriram um novo bug do Facebook que permite que usuários mal-intencionados sequestrem dados confidenciais de usuários da rede social. De acordo com as demonstrações de prova de conceito, o problema permite que os hackers explorem uma fraqueza no serviço através de solicitações do navegador. The issue was disclosed to Facebook whose security team is resolving the bug.
The Newly Announced Facebook Bug Allows Hackers to Hijack Private Data
A recently published anúncio concerning Facebook security warned that a new vulnerability was identified in the social network. The cause of concern was found within the code of the web page — it contained specific HTML iframe elements that are used to track the users. They are an essential part of the site and also use calls functions across the web service. Upon further analysis the issue has been discovered. As a result of it a proof-of-concept attack scenario was uncovered:
- The Facebook search engine expects a GET request which is filled with the necessary values from the user’s search query. It was found to be not protected from cross-site request forgery.
- This will open a pop-up or a new tab instance which will interact with the Facebook search page.
- The malicious scripts can manipulate the requests in order to acquire any information that can be accessed through this function.
As a result of the search results the malicious operators can gain information about both the do utilizador e outro contacts in their friend list. The security researchers note that mobile users are the most affected as open tabs and other elements can easily be ignored in the background. This allow hackers to simultaneously run multiple queries when the victim is doing other actions.
We remind our readers that Facebook is constantly being targeted by various hacking collectives and using creative methods. Um exemplo recente é a [wplinkpreview url =”https://sensorstechforum.com/facebook-friend-request-forwarding-scam-attacks-users-data/”]Facebook friend request forwarding scam which is still being used actively by criminal collectives worldwide. Due to the timely private bug disclosure to Facebook their security team has been working on resolving the issue and o far no exploits have been reported.