(Credit: Nadia Buravleva/Shutterstock)

Ever since the 2016 presidential election, Facebook has had a particularly difficult time getting away from bad press, with public Senate hearings, additional security and privacy breaches, and a continual decline in usage among teens and millennials. But amid its reconstruction effort comes some occasionally good news. This time it comes from a cybersecurity firm called Imperva, who recently worked with Facebook to fix a big before it became a problem.

Instead of scrambling after the fact to patch a hole under intense public scrutiny, Facebook was quietly notified months ago about a potential issue with iframes. Inline frames, or iframes, are a method of delivering web page content to your browser from multiple sources (separately from the system for displaying ads).

SEE: Facebook Messenger is adding an 'unsend' feature that gives you 10 minutes to delete a sent message

Facebook search wasn't set up at the time for protection against cross-site request forgery, which means that it inherently trusted the browser that you used to navigate the site. This is normal for online search tools, but Facebook's implementation of iframes theoretically allowed a hacker to intercept private user data, and that of their Facebook friends.

The hacker just needed the user to visit its website and click anywhere, and some special Javascript programming code would take care of the rest, opening up a tab in the background where the hacker could perform searches on Facebook that were personalized for that user.

Search results on Facebook can tell you what pages you like, the people you know on the social network, details about those other people such as where they're located, what their religious and political affiliations are, and other personal details. Notably, because these searches would appear to be conducted by the user, whose login and browser had been authenticated by Facebook, search results wouldn't be affected by the user's privacy settings.

FOLLOW Download.com on Twitter for all the latest app news.

Thankfully, it appears that this security hole never became another nasty headline for Facebook. Instead, Imperva security researcher Masas says in the announcement, "Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved."

It should be noted, however, that a breach affecting up to 50 million users happened within this same time frame, so Facebook's overall security scorecard remains problematic. The company is reportedly shopping around for a security firm to bring in-house to beef up its protections, and recent tests of its ad verification system indicate that there will be some problems to deal with right away.


  • Facebook collaborated with a cybersecurity firm called Imperva to identify and fix a potential security hole, which was originally reported to them in May.
  • A hacker could have theoretically impersonated a logged-in user and extracted private information via Facebook's personalized search function.
  • However, Facebook's overall security status remains problematic, as evidenced by a recent test of its ad buyer verification system.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.