Workload and Application Security Blog

Facebook is under the spotlight yet again for another huge data breach—this time affecting many other apps and sites you’ve logged into

Written by Virsec Systems | Oct 2, 2018 5:28:25 PM

50-90 million Facebook accounts and likely millions of others

As though having our Facebook accounts hacked (again) in a huge data breach isn’t bad enough, now hearing that many other of our apps – Instragram, Tinder, Spotify, airbnb and on and on – could also be affected is all the more unsettling. When setting up a new app, have you ever accepted the offer to set up your new account or login using your Facebook credentials? For every time any of us have done that, all those other applications are now included in this hack. Facebook first said 50 million users were affected, then later 90 million, out of its 2.2 billion accounts. The number could continue to climb, especially if you add in the other applications possibly affected. Then, we’re talking many many millions more.

How do you know if your info was hacked? Facebook will have logged you out of your account so that you’ll need to log back in. When you do, you’d find they have placed a notification at the top of your newsfeed.

What did the hackers get?

It’s not yet known everything that was accessed – the investigation is still ongoing. But the hackers were able to access profile information including names, hometowns and genders. Probably photos, videos and comments. The company says no credit card information was taken. But users might be even more worried about the personal nature of what was taken. All of a user’s profile information may have been taken, including personal photos, videos, private messages and more for tens of millions of people. Gripes about your boss, unflattering photos/videos, personal messages, or those comments you made that you were thinking you might go back and delete – all of it could now be in the hands of the hackers. Who knows how such personal information could at some point be used to defraud, misrepresent or otherwise compromise you.

How did it happen? 3 pieces came together to create the perfect storm

Facebook is fully to blame for the hack, thanks to bugs in some of the code in an update made last summer. A perfect storm of three factors came together to make it possible.

First, every user is given an access token which is a commonly used feature by many sites that conveniently keeps you logged in. When you close the application tab or window and reopen it, you’re still logged in - you don’t have to log in again. These tokens are essentially digital keys that are like a key you leave in your front door – it reminds the website that you’re already logged in.

The second factor happened when Facebook added a new video upload tool to the app last June, using code with a huge bug. The bug let hackers generate access tokens as described above for anyone on the website for their own use (i.e., for millions upon millions of people adding up to 50 million or more). And when those users logged into other services and apps with those same access tokens, the hackers could help themselves to the info in those other apps as well.

What’s more, the usual safety nets that can apply in other breaches don’t help with this one. Such as, if you have two-factor authentication set up, it doesn’t protect you because this hack wasn’t about logging in – users were already logged in. Notice, in this breach, Facebook is not advising users to reset their passwords. The horses are already miles away from the barn and a new password now won’t help.

And the third piece in this perfect-storm hack was a feature in Facebook known as the “View As” feature. This feature lets users view their profiles as if they were another viewer, as that viewer would see things. This embedded feature somehow incorrectly generated the access tokens described above, providing that perpetual login session for users. In its code for this feature, Facebook made a modification on how the feature would work if it were actually viewed by the other user. The feature had code that did even stranger things. While using the View As feature, if a friend had a friend with a birthday, a box appeared prompting them to post a “happy birthday” video. A code error in July 2017 caused this function to respond to the user's action by creating and sending one of these access tokens to the user. In the case of this hack, the hackers arranged to have these access tokens sent to themselves. And in that way, they gained access to 50-90 million accounts, along with all the other accounts attached to those accounts.

This was a nefariously brilliant maneuver, made possible by Facebook’s negligently faulty code. Facebook discovered the hack last Tuesday (a week ago today) when their security team noticed spikes in user activity on September 16. That prompted their engineers to investigate, which led to their discovering these 3 vulnerabilities. They then learned these vulnerabilities had given attackers the means to carry out this massive attack.

What to do now

At this point, most Americans, if not most people, around the world, should probably assume their information has been hacked and take appropriate precautions to prevent identity theft (see our free Self Protection Guide). It also doesn’t hurt to be proactive in the future to consider not using Facebook, Google or other accounts to sign in to other applications. And, to be cautious about how much personal information you post in words, photos and videos.

As for the corporate world, Facebook would do well to implement better safeguards for their applications, such as the solutions provided by Virsec. Learn more.

Sources:

https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#25e76ef82033

https://www.washingtonpost.com/technology/2018/09/28/facebook-says-million-accounts-affected-by-hackers/?utm_term=.62729a99f171