When Facebook Gets Hacked, Everyone Gets Hacked

  /     /     /  
Publicated : 23/11/2024   Category : security


When Facebook Gets Hacked, Everyone Gets Hacked


Facebooks attackers may have gained access to several third-party apps and websites via Facebook Login.



Facebooks massive security breach took a turn for the worse last week when the company confirmed attackers may have gained access to third-party applications and websites that allow users to authenticate via Facebook Login.
Its bad news on top of bad news for Facebook, which announced the massive incident on Sept. 28. At least 50 million users were affected when attackers exploited a series of bugs in the platforms View As privacy feature, which lets people view their own profiles as though they were someone else – a friend, a stranger, etc. The three bugs had been in place for 14 months.
In July 2017, Facebook introduced a new video uploader, which contained the vulnerabilities that made this attack possible. For one, the uploader was not supposed to appear in the View As feature, but for some users it was active. When active, the uploader created an access token, which it was not supposed to do. This token was designed for the person a user was trying to view his or her profile as (a friend or stranger, for example), not for the account holder.
The access token serves as a key to keep people logged into their accounts so they dont have to re-enter their credentials every time they use the app. An attacker could exploit the View As bugs to gain an access token, then pivot to other accounts and collect more.
There is a real sort of irony here, says Jeff Pollard, principal analyst at Forrester, in that a set of features designed for privacy became part of this chain of vulnerabilities.
Facebook
began to investigate
the problem when it noticed an uptick in user logins on Sept. 16. When it detected the bugs, the company alerted law enforcement, fixed the bugs, and reset the access tokens for 90 million accounts – the 50 million compromised, plus 40 million that had used the View As feature during the year prior. It also temporarily disabled the View As feature.
But much of the damage may have already been done – and were not even close to fully recognizing the full extent of how many users, and how much of their data, has been affected.
This is the most severe security breach in the history of Facebook, affecting not just the company but the entire ecosystem around Facebook, says Prabath Siriwardena, vice president of identity management and security for WSO2. Facebook has worked to address the breach quickly, but until it announces its findings, we wont know how deep the impact is.
Just the Beginning
Guy Rosen, Facebooks vice president of product management, said in a conference call on Friday that attackers may have leveraged Facebook Login to gain access to user accounts for other websites and applications. Facebook Login lets people use their Facebook usernames and passwords to register for and access different sites and services.
The feature was designed for convenience, not security, as it uses a persons Facebook profile to verify his or her identity for accounts across the Web. If Facebook gets hacked, all the accounts that rely on Facebook for authentication are compromised as well.
Facebook seems like it might be less affected than services that used Facebook for their logins, Pollard says. If the access token was compromised, the companies using Facebook Login could have more things done to them than Facebook itself.
Account information could have been changed, he explains, or transactions could have been made without the users knowledge. If Facebook Login is used for several services, the risk of an attacker compromising multiple accounts is higher. This also puts pressure on third-party apps and services to make sure nothing happened to users and to notify them if something did.
Its a nightmare from a notification and third-party risk perspective, Pollard adds. Businesses should understand which accounts were engaged and ensure no financial fraud was committed.
What would the attackers motivation be here?
The only parties that would be interested in Facebook data are advertisers or nation-states trying to undermine or influence or change things in different countries, points out Avivah Litan, Gartner vice president and distinguished analyst. Financially motivated cybercriminals dont need to seek out information like birthdates or Social Security numbers, she continues. Its all available to them on the Dark Web, the result of several major security breaches.
To breach Facebook would be overkill for financially driven attackers. They wont find credit card numbers, financial records, or credit reports on Facebook.
What Can You Do?
For starters, steer clear of the Facebook Login feature. It cant be trusted, Litan says, and this breach is a perfect example of why. [Attackers] can get everything ... they have your credentials, so they can log in as you, she says.
WSO2s Siriwardena recommends all confirmed or potentially affected users should check their privacy settings and credential recovery options both in Facebook and in other connected apps. There could be many, he adds, depending on how many apps logged into using Facebook Login.
Forresters Pollard recommends businesses view the Facebook breach as a warning. Any company has to look at Facebook and realize if someone is determined to get in, they often can, he says. Businesses should take a close look at their notification and incident-response practices.
Theres also an application security component worth bearing in mind, Pollard adds.
More and more companies are relying on software to make money, to engage with customers, he explains. You have to prioritize application security and recognize all the code you use is a big part of your attack surface.
No matter how strong your engineering team is, a clearly defined process for pushing code changes into production is needed, Siriwardena says. Security reviews must be included throughout the process, from design to development to deployment, and the process must be refined frequently, he adds. One small detail that gets overlooked could result in global effects.
Related Content:
Stop Saying Digital Pearl Harbor
Short, Brutal Lives: Life Expectancy for Malicious Domains
7 Most Prevalent Phishing Subject Lines
How to Keep Up Security in a Bug-Infested World
 
Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
When Facebook Gets Hacked, Everyone Gets Hacked