Facebook on Friday claimed it had fixed a security vulnerability that could have allowed hackers to log into about 50 million user accounts. While Facebook reset the logins of these 50 million users, it did the same to another 40 million accounts as a precautionary measure. The incident was big enough for Facebook CEO and founder Mark Zuckerberg to post that the social network was still investigating the breach. “We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more,” he said in a Facebook post.
When did the Facebook breach take place?
In a press call, also attended by Zuckerberg, Guy Rosen, Facebook’s VP of Product Management, said the vulnerability was introduced in July 2017 when Facebook created a new video upload functionality. Facebook launched a probe into the incident on September 16 after it discovered some unusual, like a spike in users, he said. “On the afternoon of September 25, we uncovered this attack and we found this vulnerability,” he said, adding that the FBI was soon notified and the vulnerability was fixed on September 27 evening after which it “began resetting the access tokens of people to protect the security of their accounts.” This is why people are having to log back in to their Facebook accounts.
How were user accounts compromised?
Rosen said the attackers exploited a vulnerability in Facebook’s code that impacted its ‘View As’ feature that lets people see what their own profile looks like to someone else. This is how it was exploited: “Once the attackers had an access token for one account, let’s say (Alice’s), they could then use View As to see what another account, let’s say, (Bob’s), could see about (Alice’s) account. Due to the vulnerability, this enabled them to get an access token for (Bob’s) account as well, and so on and so on.”
What caused the vulnerability in ‘View As’?
Rosen said the vulnerability was caused by a combination of three bugs affecting the access token, which is like a “digital key that keeps you logged in to Facebook so that every time you open the app, you don’t need to reenter your password”. It is not a password.
Rosen explained that the first first bug was that “when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all”. But in some cases it did. Secondly, this video uploader “incorrectly used the single sign- on functionally” to generate an access token with the permissions of the Facebook mobile app.
Finally, when the video uploader showed up as part of ‘View’ As it generated an access token, which it shouldn’t have, “not for you as the viewer, but for the user that you are looking up”. Rosen said the attackers discovered this combination that had become a vulnerability.
Asked why it took Facebook so long to discover this vulnerability, Rosen said why they do code reviews and run static analysis tools, “regrettably it didn’t catch this complex interaction of bugs that led to this vulnerability”. He, however, clarified that no passwords were taken in this security breach.
Saket Modi, CEO & Co-Founder of security firm Lucideus explained that the access tokens maintain a constant session even when your IP (or even MAC Address) changes. “In this case, hackers were able to steal these tokens of nearly 50 Million Facebook users(targets), which basically means the hacker could fool Facebook servers to believe they are the authorised users of the target’s account that would give the attacker, complete access of the target’s account,” he said.
How does the breach affect Facebook users?
Modi said Facebook would have a log of the number of user profiles this feature was used to access, whose tokens they have reset (or expired the session of the previous one) as per their statement.
“However, we don’t know for how long the vulnerability existed, who the hacker(s) were and the extent of damage that might have been caused in terms of stealing not only one’s profile data (which was in the case of Cambridge Analytica) but in this case potentially the personal messages, every picture (even the ones hidden from friends / public), chats on messenger among others,” he added.
What should Facebook users do now?
As a precaution, Modi recommended that all Facebook users should log out and re-login into all the gadgets they had the social network active on.
Meanwhile, Sophos Principal Research Scientist Chester Wisniewski reminded that there are bound to be bugs in something as big and complicated as Facebook. While accepting that theft of access tokens was a problem, he suggested it was not nearly as big of a risk to user’s privacy as something like Cambridge Analytica. He has his own suggestion too: “As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”