Last Friday the world was shocked after learning that 50 million users of Facebook have been compromised by a hack in its systems.
The hack’s timeline
According to Facebook’s official announcement, the hack was initially detected by its engineers on Tuesday September 25, 2018 with the “fix” coming on Friday, September 28. However CNN claims that initial detection was at September 16, meaning that it might have taken more than 10 days to fix the vulnerability. Facebook admits that the vulnerability was present since July 2017, which means that the hack might have been really older than September 2018, and only detected after growing to an immense size, taking an additional 10 days to stop.
How did they do it?
The hack, according to Facebook’s own announcement, was made possible by combining three different flaws in Facebook’s code, that could form an actual vulnerability only when combined together. Basic course of attack was “stealing” authentication tokens, which are basically digital keys (large alphanumerical values) that are responsible for keeping a login session active in a computer or mobile device, so that a user does not have to login every time. If an attacker manages to steal a valid token, they could instantly login to a victim’s profile, without using a password.
1) The most major flaw was Facebook’s privacy feature “View as”, which allows users to view their own profile through the “eyes” of other users, to test whether their privacy settings are correct. For example a user might have an album that they don’t want to be viewable by their colleagues at work, all they have to do to test is use the “View As” feature and select the profile of a colleague. While “View As” is supposed to be a read-only feature, a flaw allowed the use of a video uploader in the feature that prompts users to wish happy birthday to their friends, inside the “View As” interface.
2) While the traditional video uploader was not capable of generating an access token, according to Facebook, versions after July 2017, incorrectly generated an access token.
3) Inside the “View as” feature, the video uploader generated an access token not for the user of the feature, but for the one that was being impersonated.
It is our understanding that Facebook is trying to make the situation look like an “act of god”, by using this triple-flaw approach to describe a vulnerability that was indeed rare, however real and probably avoidable if security was top priority budget-wise and every new feature being subject to heavy security testing and assessment.
How did Facebook react?
Facebook’s reaction to stop the attack was disabling the View As feature, and reset access token of 90 million accounts, which included the 50 million accounts that were directly affected, plus 40 million accounts that Facebook considered “at risk”. Resetting access tokens means logging users out of all their devices. They can log in again, however since the vulnerability was disabled and maliciously obtained tokens destroyed, everything should be fine.
How can users protect themselves from similar attacks?
Prevention is the best protection
It is a good idea to avoid having anything critically sensitive inside your facebook account (including in private messages), as a hack could happen again, and not having anything too critical in your profile is the best course of protection, which is prevention. This is not limited to Facebook, but applies in internet services in general, when you have something that could destroy your life if it fell in the wrong hands, then everything is up to your “trust” on the online service you use.
Check your active sessions often
Since the hackers were impersonating authorized devices during the hack, those sessions should be viewable under the “Where You’re Logged In” section of the Security and Login settings in your Facebook profile. You should check this section every now and then, as there doesn’t need to be a widespread hack to get compromised, someone could have just guessed or obtained your password while you weren’t looking.
What have we learned
Facebook is trying to underestimate the situation and get it out of the public’s attention, however as a 100% security level is something unachievable, even for Facebook, everyone has their share of responsibility on protecting themselves, rather than relying on “trust” to a third party and hoping that nothing can go wrong.