Facebook earlier this year reportedly patched a vulnerability in its search page that could have allowed enterprising attackers to perform reconnaissance on certain users.
In a company blog post today, Imperva security researcher Ron Masas wrote that Facebook fixed the issue shortly after he discovered the flaw back in May.
Masas reportedly noticed that Facebook's search page had a dangerous combination of conditions: the search endpoint was not cross-site request forgery (CSRF) protected and the HTML found within Facebook's online search results contained iframe elements that exhibit cross-origin behavior.
Prior to the fix, attackers could have taken advantage of these conditions by tricking users into opening a malicious website and clicking anywhere upon it in order to secretly open a pop-up or tab containing the Facebook search page.
At this point the attackers could have forced the victimized users to perform Facebook search queries revealing certain related details about themselves.
Such details apparently would have been limited to numerical data, such as how many Facebook friends they have from a specific country. The attackers would have been able to know the exact amount based on the number of iframe elements on the page, because one iframe equals one search result.
It also would have been possible for the attackers to query a specific name and confirm that the user was friends with that person, or query a specific web page and confirm that the user liked that page. In such instances, the presence of a single iframe element would indicate a positive hit -- in other words, a "yes" -- while zero iframe elements would be tantamount to a "no."
"We appreciate this researcher's report to our bug bounty program," a Facebook spokesperson told SC Media. "We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."