It could allow attackers to open a new tab or pop-up to a Facebook search page and run queries to find user’s personal information

Until recently, malicious hackers could have seen your entire search history on Facebook and steal private data including your friend list, interests and much more.

What is it about?
To exploit the vulnerability, attackers would perform a cross-site request forgery. CSRF attack forces an end user to perform unwanted actions on a web application in which they're currently logged in.

For the attack to work a Facebook user must visit a malicious website with Chrome and then click anywhere on that site when they’re still logged in on Facebook. This could allow the attackers to open a new tab or pop-up to the Facebook search page and run queries to find user’s personal information.

The vulnerability was disclosed in May. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties.

Prabesh Choudhary, director at Cryptus Cyber Security Pvt Ltd, said: "This is a Cross site request forgery (CSRF) attack using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information.

"Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019.

"The vulnerability reportedly enabled websites to access private information about Facebook users and their friends through unauthorized access to a company API via a specific behavior in the Chrome browser. This vulnerability was disclosed to Facebook in May which was then patched.

“We appreciate this researcher’s report to our bug bounty program,” Facebook said in a statement, adding that “We’ve fixed the issue in our search page and haven’t seen any abuse. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

Ankush Johar, director at Infosec Ventures, noted: "CSRF flaw requires the attackers to lure users into visiting a malicious website, which is injected with scripts that steal data. This is usually done either by sending a malicious link to the user via phishing techniques or injecting the scripts into pirated websites or other hacked website so that anytime a user visits those pages their data gets compromised without their knowledge.

"Although CSRF flaws have a big prerequisite to work that the user must be logged in to the website while he/she visits the infected page, what makes the Facebook vulnerability risky is, unlike other websites, most of the users are always logged into Facebook in their browsers thus putting everyone at massive risks. Moreover, it's not known that since how long this vulnerability has existed and has been exploited in the wild.

"Users are suggested to completely avoid clicking on unknown links and especially, visiting pirated websites like torrents and free software/movie websites as most of these websites are equipped with such exploits to steal your data. That is how these websites earn money. Remember, NOTHING IS FOR FREE."