Facebook has patched a bug that could have let anyone view your likes, posts, and friends.
The vulnerability was fixed by Facebook in May after it was first discovered by cybersecurity firm Imperva.
Imperva found a flaw in Facebook’s Search feature that allowed attackers to quietly siphon off user data.
Ron Masas, a security researcher at Imperva, discovered that the Search feature was vulnerable to cross-site request forgery (CSRF) attacks, which take advantage of a user being logged into a service to perform unwanted tasks on their browser.
In this case, users had to visit a malicious website in Google Chrome and already be logged into Facebook.
Users would be tricked into visiting a malicious website and clicking anywhere on the page.
Doing so would open several Facebook searchers in a new tab, allowing hackers to run any number of queries to discover personal information about the user.
Attackers could access data like who you’re friends with, what pages you’ve liked and what interests your friends have.
‘By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,’ Masas explained.
Searches could be made even more specific, based on location, religion, specific words and other factors.
One example given was that attackers could search if a user has taken photos in a certain country or if the user has written posts that contain a specific word or phrase.
He also demonstrated how the attack worked in a video, showing that hackers could see which Pages he liked.
Imperva noted that the vulnerability was not a common technique, but said the attacks could be more common in the coming years.
Facebook emphasized the flaw could also affect other websites.
‘We appreciate this researcher’s report to our bug bounty program,’ a Facebook spokesperson told the Verge.
‘We’ve fixed the issue in our search page and haven’t seen any abuse.
‘As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications,’ the firm added.
It comes as Facebook has faced several user data mishaps over the past year.
In March, it was revealed that approximately 87 million users’ data had been harvested without their knowledge and shared with Trump-affiliated research firm Cambridge Analytica.
Additionally, Facebook announced in October that it had been hit by its worst-ever data breach, with hackers gaining access to 50 million accounts, as a result of a flaw in its ‘View As’ feature.