Industry experts have commented on a Facebook security breach which affected up to 50 million accounts.
The social media giant wrote about the incident on its website, stating that attackers exploited a vulnerability in Facebook’s code that impacted ‘view as’ – a feature which enables people to see what their own profile looks like to someone else.
The statement said: “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Facebook said it had fixed the vulnerability and had informed law enforcement.
The statement added: “Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security.
“We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘view as’ look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook login.
“After they have logged back in, people will get a notification at the top of their news feed explaining what happened.”
Commenting on the incident, Chris Morales, Head of Security Analytics at Vectra, said: “There aren’t many details on this as of yet, but what we do know is that the attackers manipulated a flaw in the ‘view as’ feature of Facebook to acquire user access tokens that would allow a person to log into user accounts. It isn’t clear beyond the access of those tokens and the compromise of user accounts what other information was taken or how else those accounts were used.
“This type of compromise of a software flaw isn’t surprising. All code has these forms of flaw that allow unintended use of software and the more complex the software gets the more likely these type of flaws exist. I do commend Facebook for identifying and responding to the compromise so quickly. It is unfortunate for users however and it is also unfortunate for Facebook at a time when they under intense scrutiny along with the recent departure of Facebook’s CSO, Alex Stamos.”
CA Veracode CTO Chris Wysopal believes that two factor authentication may not have been the saving grace that Facebook needed.
He said: “This is not the sort of bug that could have been detected automatically but the execution must have been automated in order to collect the access tokens of 50 million users. We don’t know if the attackers were able to scrape all of the profile data from each of those users. It isn’t clear exactly how long the attackers may have had access but Facebook determined it could have been a year.
“Making an educated guess based on what’s been revealed but having two-factor authentication enabled on the account might not have protected a user. Since the vulnerability was exploited via an access token as opposed to the normal authentication workflow that would trigger verification of the second factor.
“Facebook did a quick job of remediating the problem and letting users know.”
Nicolai Solling, CTO at Help AG offered his analysis and advice.
He said: “According to Facebook, it is not a breach but a misuse of authentication tokens. There is a slight difference as the latter means the attacker will not have access to your password but would be able to impersonate you on Facebook-related services. Facebook has therefore invalidated these tokens and several members of the Facebook user community experienced this and they had to log in once again.
“And while, according to Facebook, the attack did not expose user passwords in any way or form, this does not stop you from following good security practices such as ensuring you use a unique password and enable two-factor authentication in Facebook.
“This latest security issue highlights a change in the way attacks are being directed. It is evident that attacks on our identity or the identity service – in this example Facebook – are becoming a focal area for attackers.
“Understanding therefore that identity is at the forefront of attackers’ focus, the providers need to build more secure services and in parallel consumers must maintain a high level of responsibility and follow best practices, which include:
- Always use a unique password as password reuse is simply not acceptable
- Ensure that the password cannot be easily cracked by using special characters and a strong password policy
- And finally, use the multi-factor authentication features available in most of the well-established platforms.”
Sophos Principal Research Scientist, Chester Wisniewski, said: “In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorisation tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter.
“As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”
Dan Pitman, Principal Security Architect at Alert Logic, said: “The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements.
“Facebook has identified this was a vulnerability in its website code that allowed the attacker to gain authenticated access, which then allowed them to get effective access permissions for a huge numbers of users, giving the attacker the ability to access those users’ accounts as if they were the user themselves. Forcing a logout on the users changed the access keys to help ensure no use of them remained.
“They will be working to establish if any of these accounts were actually accessed and what personal data may have been lost, especially in the case of high profile users.
“New features increase the risk that vulnerabilities like this can become part of the live application and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.
“This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge. The applications are made up of components built by different developers at different times working based on older best practices, all of this means that vulnerabilities are an inevitability. In Facebook’s case, there will be people working hard to identify flaws in both trenches and this time the attackers got there first.”
Paul Bischoff, Privacy Advocate for Comparitech.com, said: “There’s very little information to go on as of now, but it should be made clear that this is distinctly different from the Cambridge Analytica leak that made headlines a few months ago. This is a direct attack by hackers that exploited a vulnerability in Facebook’s ‘view as’ feature, which was designed to allow users to see their profile pages as a friend or stranger would. In contrast, the Cambridge Analytica incident resulted from the abuse of data that Facebook willingly provided.
“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team. I would be interested to know how long this flaw existed before it was discovered and exploited.”
Tim Mackey, Senior Technical Evangelist at Synopsys said: “While it is early in the investigation, the Facebook network breach shows how important an incident response plan is. In this case, the incident response includes information surrounding access tokens. Because this issue impacted ‘access tokens’, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications. If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their app settings to see which applications and games they’ve granted access rights to within Facebook.”
Gary McGraw, Vice President of Security Technology at Synopsys, said: “Another day, another software problem that leads to security disaster. Only this time it is Facebook whose software features have apparently been exploited by attackers.
“Getting software security right is difficult, but not impossible. This breach emphasises just how important software security is and how subtle solid security engineering can be. When a feature like ‘view as’ can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability. Design flaws like this lurk in the mind boggling complexity of today’s commercial systems and must be systematically uncovered and corrected when software is being designed and built.”
Sam Curry, Chief Security Officer, at Cybereason, said: “In the big picture this is just another day and another breach and once again ‘privacy’ is the victim. Whether 50 million, 100 million or one billion Facebook users were compromised is immaterial as the real issue with any compromise is that this is another blow to our collective privacy.
“Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over. Today, consumers are reminded again to watch their identities and credit for abuse. As an industry until we can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”