Facebook Data Breach with 50 million users affected
Facebook issued a security update last Friday to its users with information about a data breach that took place in September affecting at least 50 million Facebook accounts. At the time of disclosure (Fri Sept 28, 2018), Facebook has taken steps to prevent attackers from further accessing user information by invalidating access tokens that were stolen and logging 90 million users out of their Facebook accounts.
From the statement by Mark Zuckerberg to the press on Friday Morning:
The reality here is we face constant attacks form people who want to take over accounts or steal information. I’m glad we identified this one, fixed the vulnerability and secured the accounts that may be at risk. But we need to do more to prevent this from happening in the first place.
Facebook discovered a combination of vulnerabilities in its Web Application that led attackers to gain full access rights to roughly 50 million accounts. Guy Rosen, VP of Product commented on this:
It was the combination of these three bugs that became a vulnerability: when using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.
The 3 bugs that allowed attackers to gain control of the accounts are:
- View As feature allowed the viewer to upload a video to wish the viewed person a happy birthday
- The video uploader feature that was used to wish a user happy birthday (above) incorrectly generated an access token that was intended for the Facebook mobile app.
- When the video uploader was used in the context of View As feature, it generated the access token not for you as the viewer, but for the user behind viewed profile.
The access token could be extracted from the HTML page by the attacker and then be used to view another user’s profile in “View As” context and extract the next user’s token. The attack was effectively scaled by intruders in mid-September and they were able to gain at least 50 million tokens this way as Facebook implies in it’s statement by “affected accounts”. So, Facebook was able to detect an attack because it was scaled and used to gain access to millions of accounts. However the original exploited vulnerability existed before Sept 2018 for little over a year !!! This means that this vulnerability could have been exploited by the same or other attackers against any accounts for anytime between July 2017 and Sept 2018 and would have went completely undetected. That’s why (without having any information on whether it was actually exploited earlier or not) Facebook invalidated access tokens for an additional 40 Million accounts logging out a total of 90 million users.
What is an access token?
Access token is a key that’s being issued by Facebook to a 3rd party application or a device that allows to perform any actions on behalf of the user for a limited amount of time. The access tokens stolen for 50 million users were intended for the Facebook mobile app, meaning that attackers could do any actions on user’s account that Facebook Mobile App would permit doing, including:
- Posting of messages
- Add / Remove Friends
- Like / Comment on Posts
- Change Personal Information
- Change Privacy Settings
Here is the statement from Guy Rosen regarding the reported misuse of access tokens:
We haven’t seen that the access tokens were used to access private messages or posts or post anything to the accounts, but it is still early and that may change.
The question is whether or not Facebook has failed to comply with GDPR Regulation, something to be determined in the coming weeks. But the fact that attackers could have made changes to personal information or privacy settings of over 50 million users is a bit chilling…
Facebook’s Chief Information Security Officer Alex Stamos left the company in Aug 17th 2018. The role of CISO at Facebook has not been filled yet. Here is what Mark Zuckerberg had to say on the long-term plans of dealing with the cyber-security threats:
This is, as I’ve said in a number of our — number of the things I’ve written in and spoken about, including election security — security is a bit of — it’s an arms race. And we’re continuing to improve our defenses and I think that this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community.
And I think that the teams that we have at Facebook are very focused on this and there are a lot of talented people who are working on this and I think doing good work. But this is going to be an ongoing effort we’re going to need to keep on focusing on this over time
Mark, having a prominent start as a hacker himself calls this relatively hard to find exploit consisting of 3 critical vulnerabilities in Facebook code base that went undetected for more than a year a part of an “arms race”.
How to prevent this from happening at my company?
Facebook failed to detect a critical vulnerability in their system because of the lack of testing performed on the platform in general, including thorough testing of “View As” functionality. They are now paying the price with public trust and potential multi-billion dollar fines. Here are just a few steps that could be done at your company to prevent this:
- Perform Interoperability testing when introducing new features or integrations
- Perform Penetration Testing both Black box and White box
- Implement OWASP or other security framework as part of SDLC: Perform a thorough security audit of each new feature as part of the regular release cycle