Facebook’s
big security breach: How did 50 million accounts get impacted, and what you
should do next
Facebook security breach: The incident was big enough for Facebook CEO
and founder Mark Zuckerberg to post that the social network was still
investigating the breach
Facebook on Friday claimed it had fixed a security
vulnerability that could have allowed hackers to log into about 50 million user
accounts. While Facebook reset the logins of these 50 million users, it did the
same to another 40 million accounts as a precautionary measure. The incident
was big enough for Facebook CEO and founder Mark Zuckerberg to post that the
social network was still investigating the breach. “We do not yet know whether
these accounts were misused but we are continuing to look into this and will update
when we learn more,” he said in a Facebook post.
When did the Facebook breach
take place?
In a press call, also attended by Zuckerberg, Guy Rosen,
Facebook’s VP of Product Management, said the vulnerability was introduced in
July 2017 when Facebook created a new video upload functionality. Facebook
launched a probe into the incident on September 16 after it discovered some
unusual, like a spike in users, he said. “On the afternoon of September 25, we
uncovered this attack and we found this vulnerability,” he said, adding that
the FBI was soon notified and the vulnerability was fixed on September 27
evening after which it “began resetting the access tokens of people to protect
the security of their accounts.” This is why people are having to log back in
to their Facebook accounts.
How were user accounts
compromised?
Rosen said the attackers exploited a vulnerability in Facebook’s
code that impacted its ‘View As’ feature that lets people see what their own
profile looks like to someone else. This is how it was exploited: “Once the
attackers had an access token for one account, let’s say (Alice’s), they could
then use View As to see what another account, let’s say, (Bob’s), could see
about (Alice’s) account. Due to the vulnerability, this enabled them to get an
access token for (Bob’s) account as well, and so on and so on.”
What caused the vulnerability in ‘View As’?
Rosen said the vulnerability was caused by a combination of three
bugs affecting the access token, which is like a “digital key that keeps you
logged in to Facebook so that every time you open the app, you don’t need to
reenter your password”. It is not a password.
Rosen explained that the first first bug was that “when using the
View As function to look at your profile as another person would, the video
uploader shouldn’t have actually shown up at all”. But in some cases it did.
Secondly, this video uploader “incorrectly used the single sign- on
functionally” to generate an access token with the permissions of the Facebook
mobile app.
Finally, when the video uploader showed up as part of ‘View’ As it
generated an access token, which it shouldn’t have, “not for you as the viewer,
but for the user that you are looking up”. Rosen said the attackers discovered
this combination that had become a vulnerability.
Asked why it took Facebook so long to discover this vulnerability,
Rosen said why they do code reviews and run static analysis tools, “regrettably
it didn’t catch this complex interaction of bugs that led to this
vulnerability”. He, however, clarified that no passwords were taken in this
security breach.
Saket Modi, CEO & Co-Founder of security firm Lucideus
explained that the access tokens maintain a constant session even when your IP
(or even MAC Address) changes. “In this case, hackers were able to steal these
tokens of nearly 50 Million Facebook users(targets), which basically means the
hacker could fool Facebook servers to believe they are the authorised users of
the target’s account that would give the attacker, complete access of the
target’s account,” he said.
How does the breach affect Facebook users?
Modi said Facebook
would have a log of the number of user profiles this feature was used to
access, whose tokens they have reset (or expired the session of the previous
one) as per their statement.
“However, we don’t know for how long the vulnerability existed,
who the hacker(s) were and the extent of damage that might have been caused in
terms of stealing not only one’s profile data (which was in the case of
Cambridge Analytica) but in this case potentially the personal messages, every
picture (even the ones hidden from friends / public), chats on messenger among
others,” he added.
What should Facebook users do now?
As a precaution, Modi recommended that all Facebook users should
log out and re-login into all the gadgets they had the social network active
on.
No comments:
Post a Comment