The existence of yet another Facebook vulnerability that affected user data was revealed this week by security company Imperva. This latest bug, which was resolved in May, allowed websites to gather private information from Facebook users—and their friends, too. Some of the information this bug exposed included likes, interests, demographics and more.
According to security researcher Ron Masas, hackers could’ve exploited a flaw in Facebook’s search results that left it vulnerable to attack. If users happened to visit a website run by bad actors, that site could’ve quietly embedded a tool called an IFRAME to collect that user’s information from their logged-in Facebook profile.
“This allowed information to cross over domains—essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” Masas said. “The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.”
Thankfully, this bug was detected and eliminated back in May, and Facebook says that it has seen no signs of abuse. However, it’s still troubling that flaws this major are still routinely discovered in the largest social media platform in the world.