This bug would have allowed the massive collection of the social network users’ data
Facebook cybersecurity and digital forensics teams have detected another security bug in the underlying code base of the social network that could have allowed a malicious hacker to inadvertently collect a massive amount of sensitive information of Facebook users.
Ron Masas, the security investigator who discovered the problem, mentioned in a security report that this new bug resided in the Facebook search system. “When browsing the Facebook search results and in their HTML I noticed that each result contained an iframe element, probably used for the company’s internal monitoring”, said Masas.ç
The investigator says that by looking at this, he realized that when searching for an iframe inside the search results page, he could determine whether a search query had given a positive or negative result.
By simply using basic ‘yes or no’ questions, the digital forensics expert says he could infer if users liked a particular page, if they have taken photos in certain geographical locations, if they have contacts of a particular ethnicity or religion in their friends list, if they have shared posts with some specific text, among many other highly confidential details.
These search queries, even if they did not expose details directly to the user, themselves exposed second-hand information that could reveal user habits, identity, preferences, or circle of friends. It is important to mention that an attacker could not run these search queries through the Facebook Search feature available on any profile.
Masas mentions in his report that an attacker could use a technique known as ‘tab under’ to force the opening of the Facebook search page within a background tab, which keeps the user focused on the main malicious page while it remains hidden, disguised as an online game, a streaming platform or a news site, for example.
Because the ‘tab under’ technique is used regularly today to promote intrusive ads, most users don’t even pay attention to the opening of the tab in the background, believing it to be an ad more.
While the user interacts with the malicious page, the script designed by the digital forensics investigator automates a series of Facebook searches through the Facebook graphics API, counting the number of iframes that search results obtained through the ‘fb.frames.length’ property, and recording the results.
It is very likely that, while the error was available, the attack was more efficient on mobile devices, where the tabs are not visible on the screen, showing only a small open tab counter, which users often ignore. In addition, the attack also does not need to open individual tabs for each search query, allowing the attacker to reload the existing tab with a new search URL at short intervals.
Exploitation proof of concept: