By Saket Modi
A new blog by Facebook reveals that the vulnerability wasn’t spotted while proactively assessing vulnerabilities or conducting penetration testing. It was spotted via a traffic spike. What this means is, there can be more vulnerabilities that hackers could know but aren’t actively exploiting, just yet, and it hasn’t come in Facebook’s radar. Even the current “view as” vulnerability existed for over a year (starting July 2017) until September 2018, when Facebook spotted it. But such a thing is pretty common in the cyber space, this is a live example on why most of us say that there are only two types of companies, one who know they have been hacked, the other who don’t.
In such a hack there’s very limited things that a user can do to protect themselves as this was a vulnerability at Facebook’s backend code level. However, if you want to find out if your account was hacked too, you can, using the Facebook Help Center.
From this particular attack perspective, I don’t think there’s anything that an individual needs to do now as Facebook has already reset the access tokens from the backend. But what Facebook cannot do is get back the personal data (like the last 10 searches, 10 most recent locations you checked into, etc) that hackers stole of 14 Million users. This may serve as reconnaissance data for targeted (spear) phishing attacks on these 14 Million accounts.
However, things to do to make your Facebook security stronger:
1. Users can log out of all active sessions from all devices and re-login. This will reset the access tokens. You can do this by going to Settings > Security and Login > Where You’re Logged In. Either Log Out of individual sessions by clicking the three vertical dots or click the Log Out Of All Sessions option in the bottom right after expanding the list. One should generally do it once every 3 months.
2. Enable 2 Factor Authentication: I highly recommend this. Go to Settings > Security and Login > Enable 2 Factor Authentication
3. Keep the list in “Authorised Logins” in the Settings > Security and Login option to as small as required.
4. Generally avoid using Facebook / other social media or email platforms to sign into other websites. It basically means if one of your social media / email accounts are hacked, it can lead the hacked to get access to other websites where you have used this hacked account as means to authenticate.
Although these are security configuration one can control on their own Facebook account, my biggest recommendation to everyone is to change the mindset in which one uses Facebook. One should assume that everything they put on Facebook (for public, restricted group or individual users) will be hacked at some point or the other. When you have your messenger conversations / posts with this mental filter, you generally don’t end up writing / posting content in the first place that can potentially embarrass you in the future.
Saket Modi is an Indian entrepreneur and an ethical hacker. He is the co-founder and CEO of Lucideus Tech.