Facebook is Leaking Your Likes and Interests!
A new Facebook vulnerability recently reported by SiliconANGLE has recently been patched by the social media giant. According to security researcher Ron Masas, who works for cybersecurity firm Imperva, Inc., this vulnerability exposed Facebook to a specific type of attack known as a cross-site request forgery, or CSRF. Theoretically, this mean that someone on a malicious website could gather information about your likes and interests as well as your friends’ likes and interests, should you so happen to visit that bad-actor website. The fact that Facebook is leaking your likes and interests has a lot of people on edge, and while there are no reports of any malicious actors exploiting this vulnerability, the existence of such a bug in the first-place plays into long-standing narratives that question Facebook’s handling of data and privacy issues.
How Did This New Facebook Vulnerability Work?
According to extensive reporting by SiliconANGLE and work by Ron Masas, this new Facebook vulnerability had a convoluted by potent means of attack. Should a bad actor properly enable a malicious website and encourage Facebook users to visit that website, users could unwittingly have been putting their data at risk by a process known as domain cross over.
Essentially, this outsider website could have taken advantage of a CSRF vulnerability in Facebook’s code to trick Facebook into opening up specific areas of data. There are likely several reasons why there have been no reports (as of yet) that such an attack took place. First and foremost, this attack relies on a series of variables: the user must be on a malicious website and simultaneously have Facebook open in a separate tab.
Nonetheless, Facebook has gone ahead and repaired the bug. But the security vulnerability comes at a bad time for a social media company that has tried hard to repair its image after past security mishaps.
Bad Reputation and Lobbying
Masas’s discovery of this CSRF vulnerability occurs on the heals of several high profile scandals at Facebook. During the 2016 election, Facebook turned a blind eye to Russian trolls seeking to interfere with the U.S. general election. At the same time, Cambridge Analytica reportedly stole the personal information of tens of millions of users. More recently, Facebook reported that a recent hack successfully pilfered millions of users’ account tokens.
If this weren’t bad enough, in recent days, it’s become apparent that Facebook had more interest in hiding these incidents than in addressing them in a way that’s appropriate for the social media company’s outsized role in the United States’ democratic process. A New York Times report alleges that Facebook hired a Republican lobbying company to distract Facebook users from the social media company’s woes by spreading conspiracy theories about George Soros.
Data is Valuable
The safety and privacy of user data at Facebook remains unclear, in large part because the company’s repeated reassurances seem undermined by each successive scandal. The CSRF bug, discovered by Masas and repaired by Facebook might seem harmless at first. But the data involved—users’ likes and interests—is incredibly valuable.
The value of that data continues to make it a tempting target. While Facebook moved swiftly to correct this particular vulnerability, some users still feel understandably uneasy about their personal data. That’s understandable, and most experts don’t see that changing any time soon. Facebook, for its part, seems more interested in presenting the appearance of change than in doing the hard work involved in implementing that change. That might not be a new Facebook vulnerability, but it is certainly the social media giant’s most potent one.
Are you upset that Facebook is leaking your Likes and Interests? How are you responding to the newly reported Facebook Vulnerability? Comment below and let us know your thoughts. Want to keep them private? Shoot us an email to Outreach@