Facebook's massive security breach took a turn for the worse last week when the company confirmed attackers may have gained access to third-party applications and websites that allow users to authenticate via Facebook Login.
It's bad news on top of bad news for Facebook, which announced the massive incident on Sept. 28. At least 50 million users were affected when attackers exploited a series of bugs in the platform's "View As" privacy feature, which lets people view their own profiles as though they were someone else – a friend, a stranger, etc. The three bugs had been in place for 14 months.
In July 2017, Facebook introduced a new video uploader, which contained the vulnerabilities that made this attack possible. For one, the uploader was not supposed to appear in the "View As" feature, but for some users it was active. When active, the uploader created an access token, which it was not supposed to do. This token was designed for the person a user was trying to view his or her profile as (a friend or stranger, for example), not for the account holder.
The access token serves as a key to keep people logged into their accounts so they don't have to re-enter their credentials every time they use the app. An attacker could exploit the "View As" bugs to gain an access token, then pivot to other accounts and collect more.
There is "a real sort of irony here," says Jeff Pollard, principal analyst at Forrester, in that a set of features designed for privacy became part of this chain of vulnerabilities.
Facebook began to investigate the problem when it noticed an uptick in user logins on Sept. 16. When it detected the bugs, the company alerted law enforcement, fixed the bugs, and reset the access tokens for 90 million accounts – the 50 million compromised, plus 40 million that had used the "View As" feature during the year prior. It also temporarily disabled the "View As" feature.
But much of the damage may have already been done – and we're not even close to fully recognizing the full extent of how many users, and how much of their data, has been affected.
"This is the most severe security breach in the history of Facebook, affecting not just the company but the entire ecosystem around Facebook," says Prabath Siriwardena, vice president of identity management and security for WSO2. "Facebook has worked to address the breach quickly, but until it announces its findings, we won't know how deep the impact is."
Just the Beginning
Guy Rosen, Facebook's vice president of product management, said in a conference call on Friday that attackers may have leveraged Facebook Login to gain access to user accounts for other websites and applications. Facebook Login lets people use their Facebook usernames and passwords to register for and access different sites and services.
The feature was designed for convenience, not security, as it uses a person's Facebook profile to verify his or her identity for accounts across the Web. If Facebook gets hacked, all the accounts that rely on Facebook for authentication are compromised as well.
"Facebook seems like it might be less affected than services that used Facebook for their logins," Pollard says. "If the access token was compromised, the companies using Facebook Login could have more things done to them than Facebook itself."
Account information could have been changed, he explains, or transactions could have been made without the user's knowledge. If Facebook Login is used for several services, the risk of an attacker compromising multiple accounts is higher. This also puts pressure on third-party apps and services to make sure nothing happened to users and to notify them if something did.
"It's a nightmare from a notification and third-party risk perspective," Pollard adds. Businesses should understand which accounts were engaged and ensure no financial fraud was committed.
What would the attackers' motivation be here?
"The only parties that would be interested in Facebook data are advertisers or nation-states trying to undermine or influence or change things in different countries," points out Avivah Litan, Gartner vice president and distinguished analyst. Financially motivated cybercriminals don't need to seek out information like birthdates or Social Security numbers, she continues. It's all available to them on the Dark Web, the result of several major security breaches.
To breach Facebook "would be overkill" for financially driven attackers. They won't find credit card numbers, financial records, or credit reports on Facebook.
What Can You Do?
For starters, steer clear of the Facebook Login feature. It can't be trusted, Litan says, and this breach is a perfect example of why. "[Attackers] can get everything ... they have your credentials, so they can log in as you," she says.
WSO2's Siriwardena recommends all confirmed or potentially affected users should check their privacy settings and credential recovery options both in Facebook and in other connected apps. There could be many, he adds, depending on how many apps logged into using Facebook Login.
Forrester's Pollard recommends businesses view the Facebook breach as a warning. "Any company has to look at Facebook and realize if someone is determined to get in, they often can," he says. Businesses should take a close look at their notification and incident-response practices.
There's also an application security component worth bearing in mind, Pollard adds.
"More and more companies are relying on software to make money, to engage with customers," he explains. "You have to prioritize application security and recognize all the code you use is a big part of your attack surface."
No matter how strong your engineering team is, a clearly defined process for pushing code changes into production is needed, Siriwardena says. Security reviews must be included throughout the process, from design to development to deployment, and the process must be refined frequently, he adds. One small detail that gets overlooked could result in global effects.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio