Advertisement

Facebook bug allowed other sites to view users' likes and interests

Facebook patched the issue soon after a researcher identified it in May.

Facebook's privacy woes are a little murkier after it emerged a bug allowed websites to extract certain data from users' profiles, such as their interests and likes, without them knowing about it. Facebook fixed the bug a few days after Imperva security researcher Ron Masas flagged it in May, and the company told TechCrunch it hasn't seen any abuse of the vulnerability.

The company wasn't protecting its search results from cross-site request forgery, Masas found. Bad actors could have used an iFrame (which lets people embed material such as PDFs, YouTube videos or other pages within web pages) to open a Facebook tab and collect information.

Attackers could have run queries with certain graph searches, such as to find out whether you liked a page, if you took photos at a certain location or if you or your friends used specific keywords in your posts. The bug could have also allowed malicious sites to find out which of your friends liked a certain page or identified with a certain religion.

Facebook is not the only company which has faced this type of issue and it seems no one took advantage of this particular vulnerability. However, it's the kind of data that can be used to build a profile of someone for the likes of ad targeting or election profiling -- we saw something similar with the Cambridge Analytica scandal. With Facebook having faced multiple privacy issues in recent times, its data slips will be under close scrutiny for the foreseeable future, even if attackers didn't exploit this particular bug.