Facebook has revealed that 50m user accounts have been breached by an access token harvesting attack.
It warns that another 40m may also have been compromised and in all 90m of its 2.2bn users will have to log in or reset their credentials.
Facebook was already having a terrible year in terms of data security and the fall-out of the Cambridge Analytica affair and now it has emerged that a massive and sophisticated data breach has occurred.
The breach is the largest in Facebook’s 14-year history and Facebook is still trying to determine whether the attacker misused any accounts or stole private information.
The origin of the attack is still a mystery. But it is clear that the hackers were after access tokens or digital keys, an exploit requiring sophisticated skills. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.
It is serious stuff amid a year of the Cambridge Analytica fall-out where an estimated 87m users’ accounts were potentially manipulated by political interests contributing to Brexit and Trump’s election, the spiralling of the fake news epidemic and Facebook’s initial poo-pooing of its seriousness and, of course, fears that Russian hackers have infiltrated the social network.
1. What happened?
Yesterday evening (29 September) Guy Rosen, vice-president of product management at Facebook said that the breach was discovered on 25 September and that 50m accounts were affected.
“First, we’ve fixed the vulnerability and informed law enforcement,” he said.
“Second, we have reset the access tokens of the almost 50m accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year. As a result, around 90m people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
Rosen said that as a third precaution Facebook is turning off the ‘View As’ feature as it conducts a thorough review.
2. What’s the nature of the breach?
Rosen said that the attack exploited the complex interaction of multiple issues in Facebook’s code.
“It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
3. What do users do next?
First off, Facebook said that there is no need for anyone to change their passwords.
However, if people are having trouble logging in because they’ve forgotten their password should visit Facebook’s Help Centre. Rosen said that if anyone wants to take the precautionary action of logging out of Facebook they should visit the ‘Security and Login’ section in settings. This section lists the places that people are logged into Facebook with a one-click option to log out of all of them.
4. How would you know you were affected?
Facebook has reset the access token of almost 50m accounts and as a precaution has reset another 40m accounts that were subject to a ‘View As’ look-up in the last year.
Most users wouldn’t know they have been affected unless they are asked to log back in. In short, 90m users out of Facebook’s 2.2bn user population have been logged out and will have to log back in.
5. What are access tokens?
They are basically digital keys for accessing your account. They are handy for allowing you to stay logged into Facebook without having to put in a password every time.
6. What is the View As feature and how were access tokens generated?
The ‘View As’ window lets people see what their own profile looks like to other users. It should only be a view-only interface.
However, the bug in the system incorrectly enabled other users to post a video into other users’ View As windows. Not only that but a new version of the Facebook video uploader incorrectly generated an access token that had the permissions of the Facebook mobile app.
The problem here is that every time the video uploader appeared as part of View As, it generated an access token not for the user but the person that you were looking up.
Combined, the vulnerability meant that an access token was generated every time a user was looked up – attackers in the know could exploit this to find ways to log in as another user.
The attackers were then able to pivot from that access token to other accounts and obtain other access tokens.
7. That is scary. What have the hackers done so far?
Facebook itself doesn’t have the answer to this question because it is only starting its investigation. But critics are already warming up to this being a reverberation of the Cambridge Analytica affair in terms of what it could mean for third party apps or advertisers to whom they may have given your data.
“One other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user,” opined Brian Krebs of Krebs On Security.
“Tens of thousands of web sites let users log in using nothing more than their Facebook profile credentials. If users have previously logged in at third-party sites using their Facebook profile, there’s a good chance the attackers could have had access to those third-party sites as well.”
Facebook has no evidence that this has happened.
“We have invalidated data access for third-party apps for the affected individuals,” a Facebook spokesperson has said.
8. What happens next?
“The investigation is early, and it’s hard to discover who is behind this,” Rosen said. “We may never know.”
But Rosen pointed out that the scale and complexity of the hack would have required “a certain level” of expertise.
The news of the attack will add even more scrutiny to the vast and complicated business machine that is Facebook, and you wonder will it ever manage to salvage its reputation in terms of privacy and security.
The legal fallout of the current data breach has already begun. The social network is facing a class-action complaint filed on behalf of California resident Carla Echavarria and Virginia resident Derick Walker, who allege that Facebook’s lack of proper security has exposed them and other users to potential identity theft. The lawsuit was filed yesterday in US District Court for the Northern District of California.
No doubt this will lead to a resurgence of the ‘Delete Facebook’ movement that began earlier this year as the Cambridge Analytica scandal raged.
Groups like the Electronic Frontier Foundation and US university researchers are pointing to other potential flaws such as if users who gave their mobile phone numbers for two-factor authentication could be targeted by advertisers if Facebook shared this data with them to boost advertising.
For Facebook’s CEO Mark Zuckerberg the 50m-user breach and the legal fallout will seriously compromise his vision for Facebook and products like Messenger being the gateway for a slew of mobile payment, banking and e-commerce services.
One thing is certain, it will add to the clamour among US politicians for more stringent data protection legislation.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Democratic US Senator Mark Warner said in a statement.
“A full investigation should be swiftly conducted and made public so that we can understand more about what happened.”
The post Facebook data attack: 8 things you need to know appeared first on Silicon Republic.