Massive Facebook Hack Exploited Critical Bugs

Facebook has shared additional details about the hacker attack affecting 50 million accounts, including technical information and what its investigation has uncovered so far.

The social media giant announced recently that malicious actors exploited a vulnerability related to the “View As” feature to steal access tokens that could have been leveraged to hijack accounts. The tokens of nearly 50 million users have been compromised.

The tokens of these users have been reset to prevent abuse, along with the tokens of 40 million others who may be at risk due to the fact that they were subject to a View As lookup in the past year, impacted users will need to log back in to their accounts.

The problematic feature has been suspended until a security review is conducted.

Technical details on Facebook Hack

The “View As” feature shows users how others see their profile. This is a privacy feature designed to help users ensure that they only share information and content with the intended audience.

The vulnerability that exposed access tokens involved a combination of three distinct bugs affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.

When “View As” is used, the profile should be displayed as a read-only interface. However, the text box that allows people to wish happy birthday to their friends erroneously allowed users to post a video – this was the first bug.

When posting a video in the affected box, the video uploader generated an access token that had the permissions of the Facebook mobile app – this was the second bug as the video uploader should not have generated a token at this point.

The third and final problem was that the generated token was not for the user who had been using “View As” but for the individual whose profile was being looked up.

Hackers could obtain the token from the page’s HTML code, and use it access the targeted user’s account. An attacker would first have to target one of their friends’ account and move from there to other accounts. The attack did not require any user interaction.

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens,” explained Pedro Canahuati, VP of Engineering, Security and Privacy at Facebook.

Users and Information affected by the Breach

Facebook says the vulnerability has been patched. The social media giant claims that while the attackers did try to query its APIs to access profile information, such as name, gender and hometown – there is no evidence that any private information was actually accessed.

Facebook’s investigation continues, but the company says it has found no evidence that the attackers accessed private messages or credit card information.

Facebook says impacted users are from all around the world – it does not appear that the attack was aimed at a specific country or region. It’s worth noting that Facebook founder and CEO, Mark Zuckerberg, and Sheryl Sandberg, the company’s COO, were among those affected.

Another noteworthy issue is that the exposed tokens can be used not only to access Facebook accounts, but also third-party apps that use Facebook login. However, the risk should be eliminated now that the existing tokens have been reset.

Users who have linked Facebook to an Instagram account will need to unlink and relink their accounts due to the tokens being reset. Facebook clarified that WhatsApp is not impacted.

Facebook is alerting users whose tokens have been compromised by sending notifications to their accounts. In some cases, users can check if their accounts were actually hacked by accessing the “Security and Login” page from the Settings menu. However, access is only logged if the attacker created a full web session.

Incident Timeline and Information on Attackers

Facebook discovered the breach following an investigation that started on September 16, after noticing a traffic spike, specifically increased user access to the website. However, it only realized that it was dealing with an attack on September 25, when it also identified the vulnerability. Affected users were notified and had their access tokens reset beginning with Thursday, September 27.

As for the attackers, no information has been shared, but the social media firm did note that exploitation of the vulnerability is complex and it did require a certain skill level.

Impact on Facebook

The company says it has notified the FBI and law enforcement. While the company has responded quickly after the breach was discovered, MarketWatch reports that the Data Protection Commission in Ireland, Facebook's main privacy regulator in Europe, could fine the company as much as $1.64 billion under the recently introduced GDPR.

US Senator Mark R. Warner responded to news of the Facebook hack, asking for a full investigation.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Sen. Warner said. 

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before, the era of the Wild West in social media is over.”

FTC Commissioner Rohit Chopra wrote on Twitter that he wants answers.

Despite no evidence of harm to any user, a class action lawsuit has already been filed against Facebook in the United States.

Facebook stock fell 3 percent after the breach was disclosed.

SecurityWeek:

You Might Also Read:

Widepsread Campaign Hacking Instagram Accounts

« How Cyber Attackers Stole £2.26m From Tesco Bank Customers
California Bans 'Secret' Election Bots »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IONU Security

IONU Security

IONU offer a security platform focused specifically on providing Data-centric Security.

Get Cyber Safe

Get Cyber Safe

Get Cyber Safe is a national public awareness campaign created to educate Canadians about Internet security and the simple steps they can take to protect themselves online.

Zurich

Zurich

Zurich is a leading multi-line insurer providing a wide range of property and casualty, and life insurance products and services in more than 210 countries and territories.

MD5

MD5

MD5 is a leading UK provider of Digital Forensic & eDiscovery services to large multi-national corporate businesses, Law Enforcement & Government Agencies, high profile legal firms.

Merlin Cyber

Merlin Cyber

Merlin is a premier cybersecurity platform that leverages security technologies, trusted relationships, and capital to develop and deliver groundbreaking security solutions.

Netmarks Indonesia (NMID)

Netmarks Indonesia (NMID)

Netmarks Indonesia is an IT solutions provider offering services related to ICT infrastructure, digital transformation and cyber security.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

IFE Digital Systems

IFE Digital Systems

IFE Digital Systems conducts research, development and consultancy in risk, safety and security related to digital systems in critical infrastructure.

Andreessen Horowitz (a16z)

Andreessen Horowitz (a16z)

Andreessen Horowitz (known as "a16z") is a venture capital firm in Silicon Valley, California that backs bold entrepreneurs building the future through technology.

Shevirah

Shevirah

Shevirah specializes in products for automated mobile and IoT device vulnerability assessment, penetration testing, and mobile security awareness training.

MazeBolt Technologies

MazeBolt Technologies

Israel-based MazeBolt is an innovation leader in cybersecurity, with over two decades of experience in pioneering DDoS protection solutions.

Phy-Cy.X Security Group

Phy-Cy.X Security Group

Phy-Cy.X specialize in the “Physics” of Information Security through both physical and cyber domains. We are not an IT company, we ARE an Information Security company.

Symbol Security

Symbol Security

Through situational learning, simulations, and a gamified user experience, Symbol strengthens the cyber awareness of employees and helps companies lower cyber risk.

Vaultinum

Vaultinum

Vaultinum are a trusted independent third party specialized in the protection and audit of digital assets.

Contextal

Contextal

Contextal develops cutting-edge open-source cybersecurity solutions, designed to connect the dots and detect complex threats, which slip through the existing protections.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.