It’s not been a good week for Facebook.
Today the social media giant admitted almost 50 million accounts may have been compromised by an unknown attacker who got access to security tokens used so they don’t have to re-enter passwords every time they use the service, with another 40 million under question. As a result, 90 million subscribers have been kicked off and asked to login again after the company changed access tokens.
It may also affect other web sites where people use their Facebook credentials for logging in.
Facebook has some 2 billion users.
Users don’t have to change their passwords. Facebook hasn’t determined whether these accounts were misused or any information accessed.
Meanwhile on Thursday privacy advocates were up in arms after Facebook admitted phone numbers subscribers give for confirmation of two-factor authentication are also being used to target advertising.
–First the data breach:
Facebook VP of product management Guy Rosen said Friday that on Sept. 25th its engineering team discovered a “security issue” affecting almost 50 million accounts. Attackers “exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The access tokens on those accounts were reset, so those users have to log back in. In addtion, as a precaution Facebook reset access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
The “View As” feature for the time being has been shut off.
Rosen said the attack “exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
As expected, officials at security vendors were quick to send comments to reporters.
“Facebook’s recent “View As” vulnerability underscores the level of persistence on the part of attackers,” wrote Matt Chiodi, vice-president of cloud security at RedLock. “If there’s a high enough value target, they will get in sooner or later. Remember that Facebook today employs over 10,000 cybersecurity professionals. No system or application is 100 per cent secure. What’s most intriguing is that despite a formal bug bounty program, the vulnerability has been present in Facebook code since July of 2017. It’s hard to believe that a vulnerability of this size would persist this long undetected.”
The number of people affected by this breach is roughly equal to the entire population of the west coast of the United States, noted Adam Levin, founder of CyberScout. “The latest Facebook breach was caused by an upgrade. The takeaway is simple: Any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process. The traditional “patch and pray” approach to cybersecurity is obsolete. An effective vulnerability management program is crucial. ”
“Inside the walls of Facebook, there has got to be concern over any GDPR (Europe’s General Data Protection Regulation) -related repercussions,” said Tim Erlin, Tripwire’s vice-president of product management and strategy. “This could be a real litmus test for the fledgling regulation.”
“The view-as feature within Facebook’s platform, while well-intentioned, is difficult to implement programmatically, in that you are viewing your account as another individual – essentially a light version of account impersonation,” wrote Greg Foss, Senior Manager of Threat Research at. LogRhythm. When implemented properly user gets a specific view of an account based on what is programmatically known about the account he/she is viewing from. But the video uploading feature had a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles, and then the accounts of ‘friends’ or those already connected to the compromised account.
“If that’s true,” he said, “it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”
Ray Rothrock, CEO of RedSeal, said the breach “is a textbook example of exactly what digital resilience is not. They weren’t prepared for the unexpected intrusion of their systems. Given Facebook’s already shaky public perception, their number one priority should be protecting their customers, who are also their highest-value asset. On the heels of their already challenging year it will be difficult – perhaps impossible – for Facebook to recover from both the impact on customers’ trust, and its resulting business performance. Conversely, companies that can isolate or limit the bad guys once they’re inside the network will maintain their value and the trust of their customers and investors. Digital resilience is the strategic proactive answer.”
Mark Nunnikhoven, Ottawa-based vice-president of cloud research at Trend Micro, said there is a lot lacking in Facebook’s explanation, details which, he admits, the company may not be aware of yet. But, he said in in email, becuas the attack could have been conducted between July, 2017 and this week — during which millions of users could have been impacted — those technical details “are needed ASAP.”
Snagging the access tokens for the attacker allowed them to expand the scale and scope of the attack, commented Forrester Research analyst Jeff Pollard. It’s effectively a pivot that allowed the attacker to access more accounts. In this case it appears the video uploader was generating those tokens, which was not its intended functionality. The next piece of information Facebook will need to share is what those tokens provided access to, specifically what API functions were available and what data was accessible based on the permissions granted to the access tokens.
–The phone controversy:
On Wednesday, Gizmodo reporter Kashmir Hill ran a story about testing a theory of Northeastern University computer science professor Alan Mislove, who wondered if Facebook is letting advertisers reach users with user contact information it collects. So she ran an ad targeted just at him, but not using his name: It was configured to display the ad to a Facebook account connected to the landline number for Alan Mislove’s office, which he never gave to the social media company.
The ad popped up a few hours later.
How? “Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising,” Hill wrote. “It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.” I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.”
This follows up on research Mislove has done with other researchers, which can be found here. They found that when a user gives Facebook a phone number for two-factor authentication or to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.
“So,” writes Hill, “users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.”
A Facebook spokesperson told Hill that “we use the information people provide to offer a more personalized experience, including showing more relevant ads.”
Facebook stopped making a phone number mandatory for two-factor authentication four months ago.
The story sparked angry comments on Twitter. “Extremely problematic to use info provided for security for ads purposes. Can erode the trust for security measures such as two factor,” wrote one person. “Gross and completely irresponsible,” write another.