In a previous blog we highlighted a vulnerability in Chrome that allowed bad actors to steal Facebook users’ personal information; and, while digging around for bugs, thought it prudent to see if there were any more loopholes that bad actors might be able to exploit.
What popped up was a bug that could have allowed other websites to extract private information about you and your contacts.
Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved.
Identifying the Threat
Throughout the research process for the Chrome piece, I browsed Facebook’s online search results, and in their HTML noticed that each result contained an iframe element — probably used for Facebook’s own internal tracking. Being pretty familiar with the unique cross-origin behavior of iframes, I came up with the following technique:
To start, let’s take a look at the Facebook search page, we have an endpoint that expects a GET request with a number of search parameters. The endpoint, like most search endpoints, is not cross-site request forgery (CSRF) protected, which normally allows users to share the search results page via a URL.
This is fine in most cases since no action is being made by the user, making this CSRF attack meaningless by itself. The thing is, iFrames, unlike most web elements, are exposed in part to cross-origin documents; combine that with the search CSRF issue and you have a real problem on your hands.
Check out the proof of concept here:
Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.
By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.
For example, by searching: “pages I like named `Imperva`” we force Facebook to return one result if the user liked the Imperva page or zero results if not: