A Facebook error allows sites to access private data

A vulnerability in Facebook has allowed sites to obtain private information from users, as well as interesting, without knowing it. This was revealed by cybersecurity researchers Imperva in a report pointing out that from a malicious site this type of data could be tricked into another Google Chrome tab.

According to the report, the results of Facebook searches are not properly protected from the allegations of falsification of applications. In order for the theft of information to occur, the user must go to a malicious site and click anywhere on the site while he is connected to Facebook. At that time, hackers could open a new popup window on Facebook's Facebook search page and get personal information.

In this tab, you could execute queries that have "yes" or "no" answers, for example, ask if a user or friends like a particular page or if they have taken photos in a particular place. According to Imperva, you could also have access to much more specific data, like all friends of a person with a religion or living in a particular city.

Ron Maase, a computer security researcher at Imperva, said in his statements at Techcrunch that "vulnerability has exposed the interests of the user and his friends, even if the confidentiality configuration was configured so that the interests would only appear to the user's friends"

The bug was corrected in May this year, and although Facebook has not yet made a formal statement, the The Verge specialized media received a response from the social network stating that there are no known cases of possible theft of information due to this vulnerability.

"We appreciate the researcher's report on our rewards program, we've fixed the problem on our search page, and we have not seen any abuse." Since the underlying behavior is not specific to Facebook, we have made recommendations to builders and browser groups. of the relevant Internet standards to encourage them to take measures to prevent these types of problems from appearing in other web applications, "the company said.