Facebook has reset logins for 90 million users after discovering a security breach where attackers exploited three vulnerabilities in Facebook’s code. The company does not know who the attackers were, where they are based, or what they did with the impacted user accounts.
It’s still early in the investigation and the security team is still piecing together what kind of information was accessed, Guy Rosen, Facebook’s vice president of product management, wrote in Facebook's security update. However, Rosen said that attackers stole user access tokens, which keep people logged in so they don’t have to log in every time they want to use the application. With these tokens, the attackers had direct control of these accounts. That means more than being able to post on the platform, having access to the user profile data. Attackers could do a complete Facebook data takeout, read everything sent via the Messenger app, get information about friends, and review location data.
“Tokens allow you to act as the user, so you can do anything they can do,” said Tim Mackey, technical evangelist at Synopsys.
Facebook users who were impacted would see a message on the News feed informing them of the breach when they logged in, Rosen said. Those users should assume that the attackers had access to everything--anything they could see, download, read, or change, when logged in, the attackers could do.
Social networking accounts are valuable targets because the attackers use the accounts to gather information about the user and user’s friends, whether that is personal details, interests, or usage patterns, said Paul Bischoff, a privacy advocate with Comparitech. The attacker can look at friends’ profiles, impersonate the user in conversations with the friends, or send out spam with malicious links.
“This information can be used for targeting later on,” Bischoff said.
It’s also possible these authentication tokens could be used to log in to websites that support the “Log in with Facebook” feature, although the company did not confirm or deny whether this was the case. If attackers had gained access to these other sites, then they had access to more than just profile information. They could have had access to files saved on cloud storage sites, for example.
“I see it [information gathering] as the first step in the attack lifecycle, before exploitation and data exfiltration,” Chris Morales, head of security analytics at Vectra.
Not a Simple Attack
The attackers took advantage of three vulnerabilities in Facebook’s code related to the “View As” feature, which lets people see what their profiles look like to someone else, and a video upload tool. This wasn’t a simple attack. The attacker had to trigger the first bug to get the upload tool to appear on posts where it shouldn’t have. Then, the attacker combined the second and third flaw with the “View As” feature to get the upload tool to generate an access token for the person being looked up. Finally, the attacker had to know how to pivot to other accounts to steal more tokens. During the investigation, Facebook discovered that the attackers had used the site’s API to automate the process for grabbing user profiles.
"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Rosen said.
The vulnerabilities have been addressed and Facebook has reset logins for 50 million users whose access tokens were stolen and 40 million users who had used the View As feature within the past year. The “View As” feature has been temporarily disabled and law enforcement has been alerted, the company said.
Rosen said if more affected accounts are found, Facebook will immediately reset access tokens. Users can take also take precautions by going to the Settings menu and looking at all current login sessions listed in the “Where You’re Logged in” log, under the Security and Login section. Clicking on the link to log out of all sessions will close all sessions and end any unauthorized activity.
Unlike other data breaches, the attackers didn’t siphon out any data from the servers. That doesn’t minimize the seriousness of the breach, since the attackers could just “become” the user.
“After the misuse of personal information by Cambridge Analytica, one starts to speculate that the same information is being harvested for similar militant bot and troll activity online,” said Jeannie Warner, security manager at White Hat Security.