[Download]

Facebook exploit – Confirm website visitor identities

In last years coverage of the Facebook / Cambridge Analytica privacy concerns, Mark Zuckerberg was asked to testify before Congress, and one of the questions they asked was around whether Facebook could track users even on other websites.

There was a lot of news coverage around this aspect of Facebook, and a lot of people were up in arms. As one aspect of their response, Facebook launched a Data Abuse Bounty, with the aim of protecting user data from abuse.

They are almost all are protected by access-control-allow-origin headers and magic prefixes on JSON responses that prevent JSON hijacking and other nasty attacks.

I'm not sure there is a good reason not to be pre-fixing this JSON; the nice thing is that the Facebook preferred prefix ;) produces an invalid UTF-16BE character, so would prevent the attack.

This is limited in that you need to be checking against a known list of users, rather than just being able to determine the users identity automatically. However, anyone affected by the Cambridge Analytica data situation whose data is already known, they would now be able to be identified and tracked across websites even without using any Facebook APIs.

A final example might be anyone on a corporate IP address or network, where the list of users is probably fair easy to harvest and is fairly finite.

Original article