New Facebook Vulnerability Exploits Search Results

Cybersecurity researchers at Imperva have discovered a vulnerability in Facebook that may have allowed attackers to steal personal information about users and their friends.

Ron Masas, Imperva security researcher, the vulnerability lies within the way the Facebook search feature shows results for searches. The page that displays search results is vulnerable to cross-site request forgery (CSRF) attacks. The results page includes iFrame elements for each outcome of the search; the endpoint URLs are not protected from CSRF.

CSRF is defined as:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request

In order for attackers to exploit the vulnerability, they would need to trick users into visiting a malicious site on a web browser where they are logged into their Facebook accounts. When the victim clicks anywhere on the page, a javascript code will be executed, opening a new tab or window. This new tab or window will contain a Facebook URL that will execute a predefined search and extract the targeted information from the results.

The vulnerability did not allow attackers to gather huge amounts of information at once but was localised so the damaging fallout from this vulnerability would likely have been small. There is no evidence this vulnerability was exploited since attackers are most likely looking for more lucrative vulnerabilities. The vulnerability has now been patched by Facebook.

In a statement, Masas said:

 The attack actually leaks the number of search results for any search query on the currently logged Facebook account. The most basic usage is to make boolean queries like ‘photos of me from Iceland