Recently, two bugs were reported to have been found by security researcher Mohamed Sharif. These bugs let outsiders (attackers, hackers) use queries in ‘graphql,’ a query language developed by Facebook. By doing this, these outsiders could access the members' list of private groups on Facebook.
As a default setting, members and their profiles cannot be opened if a group on Facebook is Private, and its admins have restricted its settings. So, if someone is not a part of a private group, they cannot access and view the profiles of its members. However, the recent vulnerability that was spotted in August let outsiders to not only access the members’ list in private groups, they were also able to approach these members by sorting them out on the basis of their city, and other common grounds, and then add them in other groups that matched their profiles and interests.
Mohamed Sharif says that by finding the bug, the team of security researchers and Facebook developers were able to fix it quickly, and effectively. One important point to note is that this vulnerability had not affected private groups that were hidden, but it only affected the private groups that were visible.
Apparently, it sounds innocuous and may not ring any alarm bells, but in reality, this bug could cause a lot of damage. With the information about members’ profiles in visible private groups, attackers and cybercriminals could target people with their malicious intent. They could access these people on the basis of their location, activities, and interests, and could sell all this information to other third-parties. They could even make fake profiles using these private groups and then wreak as much havoc as possible.
While Facebook took immediate and effective action, however, this vulnerability did get enough time to access a lot of people out there. As per reports, many people reported that they received notifications by Facebook that told them that ‘their request to join this and that group has been approved.’
These people found themselves becoming a part of groups they never knew existed and had never requested to join in the first place. Some people found it confusing, but since the groups they were added in were based on their interests, they did not mind it and did not take any action. Few people found it alarming and reported to Facebook about this issue while promptly leaving those groups and changing their security settings.
Luckily, the vulnerability was spotted and taken care of soon enough before anyone could suffer major harm.
Photo: Valentin Flauraud / Reuters
Read next: Facebook Gaming is making background music in live-streaming games easier now
As a default setting, members and their profiles cannot be opened if a group on Facebook is Private, and its admins have restricted its settings. So, if someone is not a part of a private group, they cannot access and view the profiles of its members. However, the recent vulnerability that was spotted in August let outsiders to not only access the members’ list in private groups, they were also able to approach these members by sorting them out on the basis of their city, and other common grounds, and then add them in other groups that matched their profiles and interests.
Mohamed Sharif says that by finding the bug, the team of security researchers and Facebook developers were able to fix it quickly, and effectively. One important point to note is that this vulnerability had not affected private groups that were hidden, but it only affected the private groups that were visible.
Apparently, it sounds innocuous and may not ring any alarm bells, but in reality, this bug could cause a lot of damage. With the information about members’ profiles in visible private groups, attackers and cybercriminals could target people with their malicious intent. They could access these people on the basis of their location, activities, and interests, and could sell all this information to other third-parties. They could even make fake profiles using these private groups and then wreak as much havoc as possible.
While Facebook took immediate and effective action, however, this vulnerability did get enough time to access a lot of people out there. As per reports, many people reported that they received notifications by Facebook that told them that ‘their request to join this and that group has been approved.’
These people found themselves becoming a part of groups they never knew existed and had never requested to join in the first place. Some people found it confusing, but since the groups they were added in were based on their interests, they did not mind it and did not take any action. Few people found it alarming and reported to Facebook about this issue while promptly leaving those groups and changing their security settings.
Luckily, the vulnerability was spotted and taken care of soon enough before anyone could suffer major harm.
Photo: Valentin Flauraud / Reuters
Read next: Facebook Gaming is making background music in live-streaming games easier now
