Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/2/2018
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

When Facebook Gets Hacked, Everyone Gets Hacked

Facebook's attackers may have gained access to several third-party apps and websites via Facebook Login.

Facebook's massive security breach took a turn for the worse last week when the company confirmed attackers may have gained access to third-party applications and websites that allow users to authenticate via Facebook Login.

It's bad news on top of bad news for Facebook, which announced the massive incident on Sept. 28. At least 50 million users were affected when attackers exploited a series of bugs in the platform's "View As" privacy feature, which lets people view their own profiles as though they were someone else – a friend, a stranger, etc. The three bugs had been in place for 14 months.

In July 2017, Facebook introduced a new video uploader, which contained the vulnerabilities that made this attack possible. For one, the uploader was not supposed to appear in the "View As" feature, but for some users it was active. When active, the uploader created an access token, which it was not supposed to do. This token was designed for the person a user was trying to view his or her profile as (a friend or stranger, for example), not for the account holder.

The access token serves as a key to keep people logged into their accounts so they don't have to re-enter their credentials every time they use the app. An attacker could exploit the "View As" bugs to gain an access token, then pivot to other accounts and collect more.

There is "a real sort of irony here," says Jeff Pollard, principal analyst at Forrester, in that a set of features designed for privacy became part of this chain of vulnerabilities.

Facebook began to investigate the problem when it noticed an uptick in user logins on Sept. 16. When it detected the bugs, the company alerted law enforcement, fixed the bugs, and reset the access tokens for 90 million accounts – the 50 million compromised, plus 40 million that had used the "View As" feature during the year prior. It also temporarily disabled the "View As" feature.

But much of the damage may have already been done – and we're not even close to fully recognizing the full extent of how many users, and how much of their data, has been affected.

"This is the most severe security breach in the history of Facebook, affecting not just the company but the entire ecosystem around Facebook," says Prabath Siriwardena, vice president of identity management and security for WSO2. "Facebook has worked to address the breach quickly, but until it announces its findings, we won't know how deep the impact is."

Just the Beginning
Guy Rosen, Facebook's vice president of product management, said in a conference call on Friday that attackers may have leveraged Facebook Login to gain access to user accounts for other websites and applications. Facebook Login lets people use their Facebook usernames and passwords to register for and access different sites and services.

The feature was designed for convenience, not security, as it uses a person's Facebook profile to verify his or her identity for accounts across the Web. If Facebook gets hacked, all the accounts that rely on Facebook for authentication are compromised as well.

"Facebook seems like it might be less affected than services that used Facebook for their logins," Pollard says. "If the access token was compromised, the companies using Facebook Login could have more things done to them than Facebook itself."

Account information could have been changed, he explains, or transactions could have been made without the user's knowledge. If Facebook Login is used for several services, the risk of an attacker compromising multiple accounts is higher. This also puts pressure on third-party apps and services to make sure nothing happened to users and to notify them if something did.

"It's a nightmare from a notification and third-party risk perspective," Pollard adds. Businesses should understand which accounts were engaged and ensure no financial fraud was committed.

What would the attackers' motivation be here?

"The only parties that would be interested in Facebook data are advertisers or nation-states trying to undermine or influence or change things in different countries," points out Avivah Litan, Gartner vice president and distinguished analyst. Financially motivated cybercriminals don't need to seek out information like birthdates or Social Security numbers, she continues. It's all available to them on the Dark Web, the result of several major security breaches.

To breach Facebook "would be overkill" for financially driven attackers. They won't find credit card numbers, financial records, or credit reports on Facebook.

What Can You Do?
For starters, steer clear of the Facebook Login feature. It can't be trusted, Litan says, and this breach is a perfect example of why. "[Attackers] can get everything ... they have your credentials, so they can log in as you," she says.

WSO2's Siriwardena recommends all confirmed or potentially affected users should check their privacy settings and credential recovery options both in Facebook and in other connected apps. There could be many, he adds, depending on how many apps logged into using Facebook Login.

Forrester's Pollard recommends businesses view the Facebook breach as a warning. "Any company has to look at Facebook and realize if someone is determined to get in, they often can," he says. Businesses should take a close look at their notification and incident-response practices.

There's also an application security component worth bearing in mind, Pollard adds.

"More and more companies are relying on software to make money, to engage with customers," he explains. "You have to prioritize application security and recognize all the code you use is a big part of your attack surface."

No matter how strong your engineering team is, a clearly defined process for pushing code changes into production is needed, Siriwardena says. Security reviews must be included throughout the process, from design to development to deployment, and the process must be refined frequently, he adds. One small detail that gets overlooked could result in global effects.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
promoocodes0
100%
0%
promoocodes0,
User Rank: Apprentice
10/6/2018 | 9:13:05 AM
Re: thank for share
very well said sir, i appreciate your thinking
kangnamclinic
100%
0%
kangnamclinic,
User Rank: Apprentice
10/3/2018 | 12:11:12 AM
thank for share
thank for share
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.