Several Bugs Exploited in Massive Facebook Hack
1.10.18 securityaffairs Social Vulnerebility
Facebook Shares More Details on Hack Affecting 50 Million Accounts
Facebook Shares More Details About Hack Affecting 50 Million Accounts
Facebook has shared additional details about the hacker attack affecting 50 million accounts, including technical information and what its investigation has uncovered so far.
The social media giant announced on Friday that malicious actors exploited a vulnerability related to the “View As” feature to steal access tokens that could have been leveraged to hijack accounts. The tokens of nearly 50 million users have been compromised.
The tokens of these users have been reset to prevent abuse, along with the tokens of 40 million others who may be at risk due to the fact that they were subject to a View As lookup in the past year – impacted users will need to log back in to their accounts. The problematic feature has been suspended until a security review is conducted.
Technical details on Facebook hack
The “View As” feature shows users how others see their profile. This is a privacy feature designed to help users ensure that they only share information and content with the intended audience.
The vulnerability that exposed access tokens involved a combination of three distinct bugs affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.
When “View As” is used, the profile should be displayed as a read-only interface. However, the text box that allows people to wish happy birthday to their friends erroneously allowed users to post a video – this was the first bug.
When posting a video in the affected box, the video uploader generated an access token that had the permissions of the Facebook mobile app – this was the second bug as the video uploader should not have generated a token at this point.
The third and final problem was that the generated token was not for the user who had been using “View As” but for the individual whose profile was being looked up.
Hackers could obtain the token from the page’s HTML code, and use it access the targeted user’s account. An attacker would first have to target one of their friends’ account and move from there to other accounts. The attack did not require any user interaction.
“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens,” explained Pedro Canahuati, VP of Engineering, Security and Privacy at Facebook.
Users and information affected by the breach
Facebook says the vulnerability has been patched. The social media giant claims that while the attackers did try to query its APIs to access profile information – such as name, gender and hometown – there is no evidence that any private information was actually accessed.
Facebook’s investigation continues, but the company says it has found no evidence that the attackers accessed private messages or credit card information.
Facebook says impacted users are from all around the world – it does not appear that the attack was aimed at a specific country or region. It’s worth noting that Facebook founder and CEO, Mark Zuckerberg, and Sheryl Sandberg, the company’s COO, were among those affected.
Another noteworthy issue is that the exposed tokens can be used not only to access Facebook accounts, but also third-party apps that use Facebook login. However, the risk should be eliminated now that the existing tokens have been reset.
Users who have linked Facebook to an Instagram account will need to unlink and relink their accounts due to the tokens being reset. Facebook clarified that WhatsApp is not impacted.
Facebook is alerting users whose tokens have been compromised by sending notifications to their accounts. In some cases, users can check if their accounts were actually hacked by accessing the “Security and Login” page from the Settings menu. However, access is only logged if the attacker created a full web session.
Incident timeline and information on attackers
Facebook discovered the breach following an investigation that started on September 16, after noticing a traffic spike, specifically increased user access to the website. However, it only realized that it was dealing with an attack on September 25, when it also identified the vulnerability. Affected users were notified and had their access tokens reset beginning with Thursday, September 27.
As for the attackers, no information has been shared, but the social media firm did note that exploitation of the vulnerability is complex and it did require a certain skill level.
The company says it has notified the FBI and law enforcement. While the company has responded quickly after the breach was discovered, MarketWatch reports that the Data Protection Commission in Ireland, Facebook's main privacy regulator in Europe, could fine the company as much as $1.64 billion under the recently introduced GDPR.
U.S. Senator Mark R. Warner responded to news of the Facebook hack, asking for a full investigation.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Sen. Warner said. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”
FTC Commissioner Rohit Chopra wrote on Twitter that he wants answers.
Despite no evidence of harm to any user, a class action lawsuit has already been filed against Facebook in the United States.
Facebook stock fell 3 percent after the breach was disclosed.