If you were unexpectedly logged out of your Facebook account this past week, you can count yourself as one of more than 90 million people out of the company’s more than 2.5 billion monthly users whose account access it reset.
The Friday acknowledgment by the world’s most popular social network of the successful cyberattack that led to the mass account reset dovetailed with the high drama surrounding the explosive Supreme Court nomination hearings for Brett Kavanaugh—and like the hearings, it alarmed officials and left key questions unanswered.
Facebook is already facing at least one class action lawsuit over the breach from two California users, as well as numerous demands for more information by U.S. and Irish regulators. And although Facebook reported the breach to Europe in accordance with the General Data Protection Regulation privacy law, it could still face a $1.63 billion fine.
Unlike the Cambridge Analytica incident, which Facebook traced back to data-mining techniques of various third parties, the company says the breach it disclosed last week was conducted by unknown sources and took advantage of a complex security vulnerability in its code.
In a statement released by Guy Rosen, Facebook’s vice president of product management, the company says it logged out 50 million users whose accounts Facebook suspects were accessed, as well as 40 million additional users whose accounts showed that they had used the affected feature: Facebook’s “View As,” which allows users to see what their profile looks like to the public.
Rosen wrote that hackers were able to exploit a vulnerability in its video-uploading service to steal digital keys known as “access tokens” that keep Facebook users logged in, so they don’t have to enter their password every time they want to use the service.
Facebook has “fixed the vulnerability and informed law enforcement,” has “reset access tokens,” and is “temporarily turning off the View As feature” in the immediate wake of the hack, Rosen wrote.
Rosen said the company learned about the hack on September 16, thanks to an unusual spike in activity. But no Facebook representative has yet released an estimate of how much data attackers might have obtained, in part because the vulnerabilities were introduced more than a year ago—in July 2017.
READ MORE ON FACEBOOK AND PRIVACY
What’s in your Facebook data? More than you think
Ready to #DeleteFacebook? Follow these 7 steps
How to recover from a Facebook hack
7 ways to boost your Facebook privacy
How to block Facebook (and others) from your microphone
Facebook, EFF security experts sound off on protecting the vulnerable
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
While 90 million accounts amounts to a small fraction of Facebook’s total active monthly Facebook users, security experts caution that the amount of information stolen from those 3.6 percent could be enormous.
The hackers “were able to access anything from the profile. Not just basic profile information,” says Marc Rogers, vice president of cybersecurity strategy for online identity management company Okta. “If you’re using Facebook to access other apps, through that access token, they can essentially access those apps.”
On Tuesday, after The Parallax spoke with Rogers, Rosen wrote a blog post stating that Facebook’s investigation has “so far found no evidence” that the hackers used those tokens to access third-party apps. He said Facebook is building a tool to help third-party app developers manually identify and log out any of their users who might have been affected by the breach.
“Federated identity and single sign-on are helping security.”—Marc Rogers, vice president of cybersecurity strategy, Okta
Some of the biggest of those third parties, such as Airbnb and Pinterest, remain tight-lipped about the attack’s impact. CNN reports that Tinder has received only “limited information” from Facebook.
Facebook-owned WhatsApp was not affected by the breach, the company said.
The true scope of the hack won’t be known for some time. So far, Messenger chat logs and associated data do not appear to be affected, nor does Facebook’s image-based social network, Instagram. That may change, as hack attributions and digital forensics can be tricky business.
And as Facebook CEO Mark Zuckerberg said in a press call Friday morning, “The attackers did try to query our APIs to access profile information fields—like name, gender, hometown, etc.—but we do not yet know if any private information was accessed that way. We’re continuing to look into this, and we will update when we learn more.”
What led to the breach
Pedro Canahuati, vice president of engineering, security, and privacy at Facebook, explained in a blog post that the vulnerability was created by the linking of three “distinct” software bugs.
The first bug is that its View As feature, “which should be ‘view-only,’” he wrote, allowed users to post a video in the box that lets Facebook users wish their friends a happy birthday.
“We do not display credit card information, even to account holders.”—Guy Rosen, vice president of product management, Facebook
The second bug came from a new version of the video uploader, which created an access token when it shouldn’t have.
The third bug involved the access token itself. It let users go into View As mode, then browse Facebook not as themselves (with their friends’ lists and personal settings), but rather as the users whose profiles they were viewing.
On their own, these bugs may not have amounted to much. But linked together, they opened up Facebook’s data collection to exploitation.
“That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user,” Canahuati wrote. “The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”
What’s safe—and what might not be
In a press call on Friday, Rosen said user credit card information entered on Facebook is “safe.”
“We do not display credit card information, even to account holders,” he said.
Facebook users can derive some insight into how they might have been affected by the attack. To see account activity, users whose account access was reset can go to their Activity Log. Under the left-side navigation column for Filters, then Comments, they can select More, then Logins and Logouts.
Records of log-outs without log-ins indicate potential hacker activity on your account, tweeted Lucky225, a longtime hacker expert and computer security author.
The recorded Internet Protocol addresses associated with each Facebook account log-in or log-out can be traced back to specific countries. From there, identification gets much more difficult. We have yet to learn who the hackers behind this attack are. Nobody has stepped forward to claim responsibility, and digital forensics can take years.
So here’s my @facebook #breach thread. Lots of IPs showing logged out that never logged in from .CN,.RU,.DE,.CA, Netherlands and others going back to May 24th of this year. I have 2FA and login notifications enabled,never notified of any of this. https://t.co/ur37hsCppq
— Lucky225🍀✸ (@lucky225) September 30, 2018
Facebook says it has fixed the vulnerability, and turned off the View As feature while it conducts its investigation. Beyond its statements, there still aren’t many facts available to help understand what data was stolen.
What might happen next
There’s no need to change your password at this time, Rosen says, because access tokens do not contain user passwords. And because the hack was derived from access tokens, it was unrelated to two-factor authentication, which is still considered an effective tool for enforcing tougher account security.
Still, the repercussions of the breach could be enormous. Jason Polakis, assistant professor of computer science at the University of Chicago, asserts that the stolen tokens could have been used to access information on third-party sites that use Facebook’s single sign-on, even if the user hadn’t authorized single sign-on for the site in question.
Facebook is the largest single sign-on provider, Polakis and fellow researchers say in a paper published in August on the risks of improper implementation of single sign-on technology.
Another very critical yet overlooked problem is that the stolen tokens can be used to obtain access to a user’s account on other websites that support Facebook SSO *even if the user doesn’t use Facebook SSO* to access them. This depends on 3rd party implementations. (6/n)
— jason polakis (@jpolakis) September 29, 2018
Polakis’ paper underscores that organizations need to more deeply analyze their use of single sign-on. Rogers, whose company, Okta, makes a single sign-on cybersecurity product, worries that users and organizations will shy away from using single sign-ons instead of improving how they implement them.
“Federated identity and single sign-on are helping security,” he says. Security tools like single sign-on make it “easier to build securely by design, without having to invest heavily in it. That way, we up-level security for everyone.”
Potential uses of stolen user data are far-reaching. Recent extortion email spam has taken advantage of years-old, stolen user passwords and social pressure to scare users into paying scammers. And user data can be strategically deployed to influence elections, as it was in the Cambridge Analytica case.
But a breach like this, Rogers says, raises concerns about how organizations that, like Facebook, pride themselves on enormous investments in user data as a business model, protect the data.
After making “egregious mistakes” that led to this breach, Rogers says, Facebook did the right thing by resetting account access and quickly notifying users. But it still needs to do more.
“They need to build on that and say what information was put at risk,” he says. “The silence is starting to get a little bit awkward. What are you going to do next? Just saying that your account was affected, and you’re at risk, isn’t enough.”