The security flaw involved a cross-site request forgery, or CSRF, attack, which tricks pages into performing tasks they're not supposed to, combined with access to an account that a Facebook user had already logged in to.
Facebook said it fixed the bug within days of being alerted to it. For example, a website or a person running the website could have secretly got some of your data from your logged-in Facebook profile in another tab. "This is especially risky for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker's site", he explained.
Instead of scrambling after the fact to patch a hole under intense public scrutiny, Facebook was quietly notified months ago about a potential issue with iframes.
Facebook engineers have plugged another bug in the social network's underlying codebase that could have allowed a malicious threat actor to stealthily collect highly personal information about Facebook users. The hack could allow attackers to know information such as the names of the user's friends, liked pages, interests, and know particular posts by using certain keywords. By manipulating Facebook's graph search, it was possible to craft search queries that reflected personal information about the user.
The social media company also denied seeing any evidence that the attack was exploited prior to Masas' discovery.
In researching a vulnerability in the Chrome browser, Masas noted an iFrame element in the HTML of Facebook's online search results, likely used for Facebook's internal tracking processes.
Imperva, a cybersecurity company, discovered the flaw and disclosed it to Facebook in May. They could also search for posts that contained specific text from the user or their friends.
Masas said the bug allowed websites to see the user's interests as well as their friends' interests, even if their privacy settings were set to allow only friends to see their interests. Moreover, it's not known that since how long this vulnerability has existed and has been exploited in the wild.
The bug was reported to Facebook and fixed as well earlier this May. "We appreciate this researcher's report to our bug bounty program", said Margarita Zolotova, Facebook spokesperson.