New Dangerous Vulnerability Discovered in Facebook

Security researchers have demonstrated how a parsing script identifies Facebook users by email addresses linked to their accounts, even with privacy settings activated. The script targets a typical vulnerability for huge web applications with extremely complex distributed architectures, such as Facebook.

Seeing more information than ordinary users, the parser collects data from a certain section of an open web page code. Further analysis is then performed to find out what can be obtained from the hidden section of the web resource. By executing a set of commands, the parser then extracts non-public data.

In this case, the parser was likely written specifically for Facebook. The details of this dramatic vulnerability are not publicly known. Even though Facebook will now quickly provide a patch, this is unlikely to be the only loophole through which a parser can extract confidential information.

Daniil Chernov, CTO at Dersecur Ltd:

«Parsing scripts are dangerous because they collect information about the web resource architecture, allowing them to obtain both public and private data. In this case, the parser was able to check the database of email addresses against accounts of Facebook users whose email information was hidden through privacy settings. This was possible thanks to a platform vulnerability left by developers of the complex distributed architecture of the Facebook web app».

Hackers can employ parsing to collect user data and then launch a massive phishing attack, with the attack scenario and mechanics depending on the data the parser managed to collect. Moreover, such a tool can also be used to enrich already leaked databases, allowing hackers to build a more detailed user profile for a more successful attack. Hackers can also sell collected data on the darknet to someone who can then use it for spamming or even fraud.

Ideally, to keep safe, it would be best to simply never enter personal data anywhere. However, these days, most services require us to provide our information. Therefore, to protect yourself on social media and any service, sign up with an email address that does not expressly identify you. To do so, when registering an email, do not enter your real name or date of birth. If the system requires your contact phone number to log on, you can use a digital SIM. With critical services, such as online banking, we recommend setting up a virtual phone number for verification via an SMS or PUSH notification. However, the generated email or phone number should never be used for any other purpose.