In a previous blog we highlighted a vulnerability in Chrome that allowed bad actors to steal Facebook users’ personal information; and, while digging around for bugs, thought it prudent to see if there were any more loopholes that bad actors might be able to exploit.

What popped up was a bug that could have allowed other websites to extract private information about you and your contacts.

Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved.

Identifying the Threat

Throughout the research process for the Chrome piece, I browsed Facebook’s online search results, and in their HTML noticed that each result contained an iframe element — probably used for Facebook’s own internal tracking. Being pretty familiar with the unique cross-origin behavior of iframes, I came up with the following technique:

To start, let’s take a look at the Facebook search page, we have an endpoint that expects a GET request with a number of search parameters. The endpoint, like most search endpoints, is not cross-site request forgery (CSRF) protected, which normally allows users to share the search results page via a URL.

This is fine in most cases since no action is being made by the user, making this CSRF attack meaningless by itself. The thing is, iFrames, unlike most web elements, are exposed in part to cross-origin documents; combine that with the search CSRF issue and you have a real problem on your hands.

Check out the proof of concept here:

Attack Flow

For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or a new tab to the Facebook search page, forcing the user to execute any search query we want.

Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.

By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.

For example, by searching: “pages I like named `Imperva`” we force Facebook to return one result if the user liked the Imperva page or zero results if not: