While Facebook is still dealing with the fallout from the Cambridge Analytica data scandal, it seems that some personal data on Facebook may have already been compromised on certain browsers.
A Vulnerability Within Certain Browsers
A group of researchers from Google discovered a bug in browsers Chrome and Firefox that may have inadvertently allowed Facebook users' personal data to get hacked. The vulnerability started in 2016.
A side-channel vulnerability in those browsers known as "mix-blend-mode" made it easier to leak visual content from cross-origin iframes on a personal Facebook page to a malicious website. This is where hackers could locate someone's personal information on Facebook, such as a username, profile picture, and what pages the user has liked. Other browsers, such as Internet Explorer, don't use the "mix-blend-mode" feature.
Any malicious website could easily exploit Facebook to steal a user's personal data. In fact, the problem was so bad that any website that permits iframes for data could be easily attacked.
The bug was widespread partially because Chrome and Firefox are among the two most popular web browsers. About 61 percent of people use Chrome and about 11.5 percent use Firefox.
There is currently no indication as to how many people have been hacked with this method.
While same-origin policy, which is a web security application, typically prevents hacking, the bug could have permitted hackers to avoid this security. Consequently, the information from the Facebook browser could then be transferred to another browser without the consent of the user.
Future Implications After Finding The Bug
To discover this flaw in the browsers, the researchers tested out CSS features multiple times. After discovering the bug, the researchers contacted the browsers in May 2017, two months after other users reportedly contacted Chrome and Firefox about the issue. By 2018, the bugs on both web browsers were removed.
The researchers also contacted Facebook about the vulnerability. They reportedly reached out multiple times to the social media network about the issue. Facebook finally responded, but there wasn't much for it to do besides removing endpoints. The main fix for the bug came from the actual web browsers.
Although the current hacking threat is gone, the researchers believe that there might be more resources that could be impacted by a similar breach in the future.
"Mix-blend-mode is only the tip of the iceberg when it comes to the gigantic rendering feature amount CSS3 and webkit have already introduced," the researchers wrote. "We anticipate more and more of such vulnerabilities to be discovered over the years to come."
