Category Archives: social networks

A bug in Facebook Photo API exposed photos of 6.8 Million users

New problems for Facebook, the social network giant announced that a bug related to Photo API could have allowed third-party apps to access users’ photos.

Facebook announced that photos of 6.8 Million users might have been exposed by a bug in the Photo API allowing third-party apps to access them.  
The bug impacted up over 870 developers, only apps granted access to photos by the user could have exploited the bug. 
According to Facebook, the flaw exposed user photos for 12 days, between September 13 and September 25, 2018.

The flaw was discovered by the Facebook internal team and impacted users who had utilized Facebook Login and allowed third-party apps to access their photos.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.

Theoretically, applications that are granted access to photos could access only images shared on a user’s timeline. The bug could have exposed also other photos, including ones shared on Facebook Marketplace or via Stories, and even photos that were only uploaded but not posted.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.

Facebook is notifying impacted people via an alert in their account.

“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.

“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”

Pierluigi Paganini

(Security Affairs –Facebook, privacy)

The post A bug in Facebook Photo API exposed photos of 6.8 Million users appeared first on Security Affairs.

Episode 124: The Twitter Accounts Pushing French Protests. Also: social engineering the Software Supply Chain

In this week’s podcast (#124):  we speak with French security researcher Baptiste Robert about research on the social media accounts pushing the french "Yellow Vest" protests. Surprise, surprise: they're not french. Also: Brian Fox of the firm Sonatype joins us to talk about the recent compromise of the Github event-stream project and why...

Read the whole entry... »

Related Stories

Major Privacy Issues in Google+ Force Its Shutdown Earlier than Planned

Google+ and its APIs are shutting down sooner than announced after a new privacy glitch that exposed the data of more than 52 million users was detected in November, Google announced on Monday.

Personal information such as age, name and email address was available online for six days before the bug was fixed, but there’s no evidence that developers misused the data. The company assures users that their passwords, financial information and any data that could be used for fraud or identity theft was not compromised.

“We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced,” Google said. “No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

The company had already detected a bug in October that leaked personal information of 500,000 users including names, emails and jobs. That first security incident led to a decision to close the network by August 2019, and the software vulnerability found in November rushed the process. As a result, all Google+ APIs will shut down in the coming 90 days, while the consumer version of Google+ will close earlier in April 2019 “to ensure the protection of our users.”

Following these major security breaches, Google will most likely struggle to regain consumer trust, as its entire business model is based on applications that collect personal information. As reported by the Wall Street Journal, lawmakers will probably also step in following allegations that Google chose to hide the original breach for months fearing regulatory scrutiny and reputational damage.

HOTforSecurity: Major Privacy Issues in Google+ Force Its Shutdown Earlier than Planned

Google+ and its APIs are shutting down sooner than announced after a new privacy glitch that exposed the data of more than 52 million users was detected in November, Google announced on Monday.

Personal information such as age, name and email address was available online for six days before the bug was fixed, but there’s no evidence that developers misused the data. The company assures users that their passwords, financial information and any data that could be used for fraud or identity theft was not compromised.

“We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced,” Google said. “No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

The company had already detected a bug in October that leaked personal information of 500,000 users including names, emails and jobs. That first security incident led to a decision to close the network by August 2019, and the software vulnerability found in November rushed the process. As a result, all Google+ APIs will shut down in the coming 90 days, while the consumer version of Google+ will close earlier in April 2019 “to ensure the protection of our users.”

Following these major security breaches, Google will most likely struggle to regain consumer trust, as its entire business model is based on applications that collect personal information. As reported by the Wall Street Journal, lawmakers will probably also step in following allegations that Google chose to hide the original breach for months fearing regulatory scrutiny and reputational damage.



HOTforSecurity

British MP: Facebook was aware about Russian activity at least since 2014

A British MP claims Facebook was ware about Russian political interference in 2014, long before the events become public.

The British MP Damian Collins, head of a parliamentary inquiry into disinformation, revealed that one of the emails seized from US software company Six4Three as part of a US lawsuit, demonstrates that a Facebook engineer had notified the social network giant in October 2014 that Russian IP addresses were accessing “three billion data points a day” on the network.

“British MPs joined together with fellow lawmakers from the parliaments of Argentina, Brazil, Canada, France, Ireland, Latvia and Singapore in an unusual move aimed at emphasising international solidarity on the issue.reported AFP press.

The information was shared during an international hearing that parliament hosted on Tuesday to gather info into disinformation and “fake news.”

The emails confirmed that Facebook was aware of the activities carried out by Russian threat actors in 2014 when they accessed a huge amount of data from the social media company.

“If Russian IP addresses were pulling down a huge amount of data from the platform was that reported or was that just kept, as so often seems to be the case, within the family and not talked about,” Collins asked Richard Allan, Facebook’s Vice President of Policy Solutions.

Richard Allan, Facebook’s Vice President of Policy Solutions, that represents the company replied that information could be used to provide a distorted interpretation of events.

“Any information you have seen… is at best partial and at worst potentially misleading” replied Allan. The emails were “unverified partial accounts”.

Allan also defended Facebook CEO Mark Zuckerberg, who has refused to appear before the British parliamentary inquiry.

Since the disclosure of the Cambridge Analytica privacy scandal and the alleged interference in the 2016 Presidential election, Facebook data protection policies were questioned by intelligence analysts and privacy advocates.

“While we were playing with our phones and apps, our democratic institutions… seem to have been upended by fratboy billionaires in California”. Charlie Angus from Canada’s House of Commons told Allan.

Catherine Morin-Desailly from the French Senate classified the Facebook data protection approach as “a scandal”, other lawmakers condemned the way Facebook shared user data with third-party companies.

Pierluigi Paganini

(Security Affairs – Facebook, fake news)

The post British MP: Facebook was aware about Russian activity at least since 2014 appeared first on Security Affairs.

Kaspersky Lab official blog: Dangerous liaisons: How relatives and friends give away your secrets

Increasingly, modern technologies are helping people’s secrets move into the public domain. There are many such examples, from massive leaks of personal data to the online appearance of private (and even intimate) photos and messages.

This post will leave aside the countless dossiers kept on every citizen in the databases of government and commercial structures — let’s naively assume that this data is reliably protected from prying eyes (although we all know it isn’t). We shall also discard the loss of flash drives, hacker attacks, and other similar (and sadly regular) incidents. For now, we’ll consider only user uploads of data on the Internet.

The solution would seem simple — if it’s private, don’t publish it. But people are not fully in control of all of their private data; friends or relatives can also post sensitive information about them, sometimes without their consent.

Public genes

The information that goes public might be close to the bone, quite literally. For example, your DNA might appear online without your knowledge. Online services based on genes and genealogy, such as 23andMe, Ancestry.com, GEDmatch, and MyHeritage, have been gaining in popularity of late (incidentally, MyHeritage suffered a leak quite recently, but that’s a topic for a separate post). Users voluntarily hand over a biomaterial sample to these services (saliva or a smear from the inside of the cheek), on which basis their genetic profile is determined in the lab. This can be used, for example, to trace a person’s ancestry or establish genetic predisposition to certain diseases.

Confidentiality is not on the agenda. Genealogical services work by matching profiles with ones already in their database (otherwise, family members will not be found). Users occasionally disclose information about themselves voluntarily for the same reason: so that relatives also using the service can find them. An interesting nuance is that clients of such services simultaneously publish the genealogical information of family members who share their genes. These relatives might not actually want people to track them down, especially based on their DNA.

The benefits of genealogical services are undeniable and have resulted in more than a few happy family reunions. However, it should not be forgotten that public genetic databases can be misused.

Brotherly love

At first glance, the problem of storing genetic information in a public database might seem contrived, with no practical consequences. But the truth is that genealogical services and biomaterial samples (a piece of skin, nail, hair, blood, saliva, etc.) can, under certain circumstances, help identify a person, without so much as a photograph.

The reality of the threat was highlighted in a study published in October in the journal Science. One of the authors, Yaniv Erlich, knows firsthand the ins and outs of this industry; he works for MyHeritage, which provides DNA analysis and family tree services.

According to the research, roughly 15 million people to date have undergone a genetic test and had a profile created in electronic form (other data indicate that MyHeritage alone has more than 92 million users). Focusing on the United States, the researchers predicted that public genetic data would soon allow any American with European ancestry (a very large proportion of those so far tested) to be identified by their DNA. Note that it makes no difference whether the subject initiated the test or whether it was done by a curious relative.

To show how easy DNA identification really is, Erlich’s team took the genetic profile of a member of a genome research project, punched it into the database of the GEDmatch service, and within 24 hours had the name of the owner of the DNA sample, writes Nature.

The method has also proved useful to law enforcers, who have been able to solve several dead-end cases thanks to genealogical online services.

How the DNA chain unmasked a criminal

This past spring, after 44 years of unsuccessful searching, a 72-year-old suspect in a series of murders, rapes, and robberies was arrested in California. He was fingered by genealogical information available online.

Lab analysis of biomaterial found at the crime scene resulted in a genetic profile that met the requirements of public genealogical services. Acting as regular users, the detectives then ran the file through the GEDmatch database and compiled a list of likely relatives of the criminal.

All of the matches — more than a dozen in all — were rather distant relatives (none closer than a second cousin). In other words, these people all had common ancestry with the criminal tracing back to the early nineteenth century. As described by the Washington Post, five genealogists armed with census archives, newspaper obituaries, and other data then proceeded to move from these ancestors forward in time, gradually filling in empty slots in the family tree.

A huge circle of distant but living relatives of the perpetrator was formed. Discarding those who did not fit the age, sex, and other criteria, the investigators eventually homed in on the suspect. The detective team then followed him, got hold of an object with a DNA sample on it, and matched it against the material found at the crime scene many years before. The DNA in the samples was the same, and 72-year-old Joseph James DeAngelo was arrested.

The case spotlighted the main benefit of genealogical online public services over the DNA databases of law-enforcement agencies from the viewpoint of investigators. The latter databases store information only on criminals, whereas the former are full of noncriminal users who cast a virtual net over their relatives.

Now imagine that a person is wanted not by the law, but by a criminal group — maybe an accidental witness or a potential victim. The services are public, so anyone can use them. Not so good.

Incriminating tags

DNA-based searches using public services are still fairly niche. Besides creating genetic profiles, a more common way for well-meaning friends and relatives to inadvertently reveal your whereabouts to criminals, law-enforcement agencies, and the world at large is through the ubiquitous practice of tagging photos, videos, and posts on social media.

Even if no ill-wishers are looking for you, these tags can cause embarrassment. Let’s say a carefree lab technician decides to upload photos from a lively staff party and tags everyone in it, including a distinguished professor. The photos immediately and automatically pop up on the latter’s page, undermining his authority in the eyes of students.

A careless post such as this could well lead to dismissal or worse for the person tagged. By the way, any information in social networks can readily form the missing link in the type of search described above, using the public databases of genealogical services.

How to configure tagging

Social networks allow users to control tags and mentions of themselves to varying degrees. For example, Facebook and VK.com let you remove tags from photos published by others and limit the circle of people who can tag you or view materials with tags of you. Facebook users can keep the photos they upload from being seen by friends of people tagged in them, and the VK.com privacy settings let users create a white list of users allowed to view photos with tagged individuals.

Curiously, Facebook not only encourages users to tag friends through hints generated by face-recognition technology (this feature can be disabled in the account settings), but also helps to control their privacy: The social network sends a notification if that technology spots you in someone else’s pic.

As for Instagram, this is what it has to say on the matter: All people, except those you have blocked, can tag you in their photos and videos. That said, the social network lets you choose whether photos with you tagged appear on your profile automatically or only after your approval. You can also specify who can view these posts in your profile.

Despite these functions offering partial control over where and when you pop up, the potential threats are still numerous. Even if you slap a ban on people tagging you in pictures, your name (including a link to the page) might still be mentioned in the description or comments on a photo. That means that the photo is still linked to you, and keeping track of such leaks is near impossible.

With friends like these

Friends and relatives aren’t the only ones who might give away your secrets to third parties. Technologies themselves can also do it, for example, because of the peculiarities of the recommendations system.

VK.com suggests friending people with whom users have mutual friends in the social network. Meanwhile, the Facebook algorithm is far more active in its search for candidates, sometimes recommending fellow members of a particular group or community (school, university, organization). In addition, the friend-selection process employs users’ contact information uploaded to Facebook from mobile devices. However, Facebook does not disclose all of the criteria by which its algorithm selects potential friends, and sometimes you may be left guessing about how it knows about your social connections.

How does this relate to privacy? Here’s an example. In a particularly awkward case, the system recommended unacquainted patients of a psychiatrist to each other — and one of them even divined what they had in common. Health-related data, especially psychiatric, is among the most sensitive there is. Not many would voluntarily agree to it being stored on social media.

Similar cases were cited in a US Senate Committee appeal to Facebook following the Senate hearing in April 2018 on Facebook users’ privacy. In its response, the company did not comment on cases involving patients, listing only the abovementioned sources of information for its friend-suggestion algorithm.

What next?

The Internet already stores far more social and even biological information about us than we might imagine. And one reason we can’t always control it is simply that we don’t know about it. With the advance of new technologies, it is highly likely that the very concept of private data will soon become a thing of the past — our real and online selves are becoming increasingly intertwined, and any secret on the Internet will be outed sooner or later.

However, the problem of online privacy has been raised lately at the level of governments worldwide, so perhaps people can still find a way to fence themselves off from nosy outsiders.



Kaspersky Lab official blog

Security Affairs: UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.



Security Affairs

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.

Facebook appeals UK fine in Cambridge Analytica privacy Scandal

Facebook appeals 500,000-pound fine for failing to protect users’ personal information in the Cambridge Analytica scandal.

Facebook appeals the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

Now Facebook is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

“Their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal,” explained the Facebook lawyer Anna Benckert.

“For example, under ICO’s theory people should not be allowed to forward an email or message without having agreement from each person on the original thread. These are things done by millions of people every day on services across the internet.”

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post Facebook appeals UK fine in Cambridge Analytica privacy Scandal appeared first on Security Affairs.

Facebook increases rewards for its bug bounty program and facilitate bug submission

Facebook updates its bug bounty program, it is increasing the overall rewards for security flaws that could be exploited to take over accounts.

Facebook announced an important novelty for its bug bounty, the social media giant is going to pay out as much as $40,000 for vulnerabilities that can be exploited to hack into accounts without user interaction.

The Facebook bug bounty program will cover also other companies owned by the social network giant, including Instagram, WhatsApp, and Oculus.

Vulnerabilities that require a minimum user interaction for the exploitation will be paid out $25,000.

The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or 
* $25,000 if minimum user interaction is required.” reads the post published by Facebook.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” 

Increasing Bounties for Account Takeover VulnerabilitiesSince 2011, our Bug Bounty program has been among the most…

Gepostet von Facebook Bug Bounty am Dienstag, 20. November 2018

The bug bounty programs are becoming crucial for companies to assess their products and infrastructure and to avoid data breaches.

In September a vulnerability in the ‘View As’ feature allowed hackers to steal access tokens that could be used by attackers to hijack accounts and access to third-party apps that used Facebook as an authentication platform.

Facebook Data Breach

Facebook revealed that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

Facebook aims at encouraging white hat hackers in reporting critical flaws in the social media platform by increasing the awards for bug bounty program and facilitate the process to report account hacking issued.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” concludes Facebook.

Pierluigi Paganini

(Security Affairs – Hacking, Facebook bug bounty program)

The post Facebook increases rewards for its bug bounty program and facilitate bug submission appeared first on Security Affairs.

Facebook flaw could have exposed private info of users and their friends

Security experts from Imperva reported a new Facebook flaw that could have exposed private info of users and their friends

A new security vulnerability has been reported in Facebook, the flaw could have been exploited by attackers to obtain certain personal information about users and their network of contacts.

The recently discovered issue raises once again the concerns about the privacy of the users of social network giant.

The vulnerability was discovered by security experts from Imperva, it resides in the way Facebook search feature displays results for queries provided by the users.

The good news for Facebook users is that this flaw has already been patched and did not allow attackers to conduct massive scraping of the social network for users’ information.

The page used to display the results of the users’ queries includes iFrame elements associated with each result, experts discovered that the URLs associated to those iFrames is vulnerable against cross-site request forgery (CSRF) attacks.

The exploitation of the flaw is quite simple, an attacker only needs to trick users into visiting a specially crafted website on their web browser where they have already logged into their Facebook accounts.

The website includes a javascript code that will get executed in the background when the victim clicks anywhere on that page.

“For this attack to work we need to trick a Facebook user to open our malicious site and click anywhere on the site, (this can be any site we can run JavaScript on) allowing us to open a popup or a new tab to the Facebook search page, forcing the user to execute any search query we want.” reads the analysis published by Imperva.

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.

By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.”

Searching something like “pages I like named `Imperva`” the exports noticed they were forcing the social network to return one result if the user liked the Imperva page or zero results if not.

Composing specific queries it was possible to extract data about the user’s friends, below some interesting examples of queries provided by the experts:

  • Check if the current Facebook users have friends from Israel: https://www.facebook.com/search/me/friends/108099562543414/home-residents/intersect
  • Check if the user has friends named “Ron”: https://www.facebook.com/search/str/ron/users-named/me/friends/intersect
  • Check if the user has taken photos in certain locations/countries: https://www.facebook.com/search/me/photos/108099562543414/photos-in/intersect
  • Check if the current user has Islamic friends: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/intersect
  • Check if the current user has Islamic friends who live in the UK: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/106078429431815/residents/present/intersect
  • Check if the current user wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_me%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
  • Check if the current user’s friends wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_friends%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies

Below the video PoC published by Imperva:

The process can be repeated without the need for new popups or tabs to be open because the attacker can control the location property of the Facebook window using the following code.Facebook flaw

Experts pointed out that mobile users are particularly exposed to such kind of attack because it is easy for them to forget open windows in the background allowing attackers to extract the results for multiple queries.

Imperva reported the flaw to Facebook through the company’s vulnerability disclosure program in May 2018, and the social network addressed the problem in a few days implementing CSRF protections.

Pierluigi Paganini

(Security Affairs – BCMPUPnP_Hunter botnet, hacking)

The post Facebook flaw could have exposed private info of users and their friends appeared first on Security Affairs.

WhatsApp overwhelmed by volume of fake news spread in India through group messaging, researchers find

A lack of trust in the mainstream media has led to dissemination of a large amount of false digital information on social networks, but in India it appears things have taken a turn for the worst, according to BBC researchers.

The acute spread of fake news via groups on WhatsApp, one of the most popular chat platforms in India with a database of 200 million users, has unleashed profound violence in the country, with some 30 people killed over the past year after being accused of kidnapping children, writes The Guardian.

WhatsApp is having a hard time ending or controlling disinformation, found the BBC World Service. The practice is linked to growing Hindu nationalism and the dropping price of mobile phone data, as well as strong encryption behind WhatsApp communication. It’s not uncommon for Indians to put more faith in what an acquaintance says, than in the traditional media.

“It is not that people don’t know that there are more credible and less credible sources,” said the researchers cited by The Guardian. “Nor is it the case that they don’t care about consuming incorrect information. It’s that on the digital platforms, while contending with the flood of onrushing information, they simply cannot be bothered.”

Research leader Dr Santanu Chakrabarti says the current Indian prime-minister, known for validating Hindu nationalism, has created the belief that it is their duty to spread the information through the group-messaging app, as they assume it has already been checked and confirmed.

“They are effectively looking for validation of their belief systems,” he said. “On these platforms, then, validation of identity trumps verification of the fact.”

Beware of scams! Elon Musk is not giving away bitcoin on Twitter

“Elon Musk” scams are invading people’s Twitter timelines again, Business Insider reports. Announcing he’s left his CEO position at Tesla, Musk is all of a sudden feeling generous enough to hand out digital currency to random people on Twitter. Better said, the fake accounts claim to be giving out “Bitcoic” by inviting followers to participate in a fake cryptocurrency giveaway.

Source: Cointelegraph.com

Cryptocurrency scams have gained popularity and show no sign of slowing down. Hackers are now even promoting them through Twitter’s ad service. How do they work?

Trying to make a quick buck off the cryptocurrency mania, hackers compromise legitimate accounts. Accounts known to have been hacked are Pantheon Books, film production company Pathe UK and US, and politician Frank Pallone Jr, for a few examples. Then the hackers change account names and pictures, and start tweeting their scams, sometimes by infiltrating Musk’s mentions. Now, thanks to the sponsored ads, they are visible on people’s timelines. And they must be working, as one account has allegedly raised some $170,000.

“Impersonating another individual to deceive users is a clear violation of the Twitter Rules,” said a company spokesperson. “Twitter has also substantially improved how we tackle cryptocurrency scams on the platform. In recent weeks, user impressions have fallen by a multiple of 10 in recent weeks as we continue to invest in more proactive tools to detect spammy and malicious activity. This is a significant improvement on previous action rates.”

Since these scams started, Twitter has been trying to take them down. The company has come up with strategies to prevent accounts from getting major changes, such as blocking name changes. Obviously, they have to keep working on it as it hasn’t proven very successful so far.

Russian hackers compromise 120 million Facebook accounts; private messages on sale online

Facebook has fallen victim to countless security breaches and November brings even more bad news for the social network. Russian hackers are selling private conversations of at least 81,000 Facebook accounts at 10 cents per account, writes the BBC.

According to the BBC Russian Service, which communicated with the hackers, the criminals claim to have the private conversations of 120 million accounts and, of course, they are willing to sell for the right price. Most of the accounts belong to users in Ukraine and Russia, but some come from other countries such as the UK, US and Brazil.

The data breach was detected in September when the hackers announced on a forum that “We sell personal information of Facebook users. Our database includes 120 million accounts.”

The IP address of the website has been linked to the dissemination of the LokiBot Trojan, malware that lets criminals steal user passwords.

Facebook claims the security of its messaging platform was not compromised, and blames malicious browser extensions such as games and bookmarking applications. If users didn’t hide their information, emails and phone numbers may have also been compromised.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

The BBC Russian Service reached out to the hackers via the emails provided in the announcement, asking to buy the details of 2 million accounts. Following the email exchange, BBC says the hackers denied any relation to the Cambridge Analytica story or other hacks, and claimed they were not linked to the Russian government or Internet Research Agency.

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?


Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between


Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.