Facebook recently patched a bug in its systems that let anyone check if you’re a part of a certain group. Usually, if you’re part of a group, you can check out fellow members’ profiles. …
Facebook recently patched two bugs in its systems that let a non-member check if youre a part of a certain group and draw up a list of members from the same city.
Usually, if youre part of a group, you can check out fellow members profiles. But its not possible when youre not part of it especially when the group is private.
Security researcher Mohamed Shariff found a pair of bugs that allowed non-members to check group members using queries in graphql, a query language developed by Facebook. The first vulnerability was that attackers can see members of a group with the same city or the same university. And the second bug allowed a non-member to check if a person is part of a group.
Shariff reported this bug to the company in August. A Facebook spokesperson said that the bug was patched and didnt affect private groups that were hidden.
We found and quickly fixed a bug affecting visible private groups, allowing someone outside of that group to see if someone else was a member of it. The issue did not affect private groups that were hidden.
With this info, attackers with malicious intent could target people that are part of a certain private group and live in the same city as them. Or they could also build up a persons profile using the private groups theyre part of to map their interests, and sell that info to a third party. This fix couldnt come soon enough.
Did you know we have an online event about corporate innovation coming up? Join the Transform track at TNW2020 to explore how big companies stay relevant with new tech trends emerging every day.