Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:45 PM
Connect Directly

When Facebook Gets Hacked, Everyone Gets Hacked

Facebook's attackers may have gained access to several third-party apps and websites via Facebook Login.

Facebook's massive security breach took a turn for the worse last week when the company confirmed attackers may have gained access to third-party applications and websites that allow users to authenticate via Facebook Login.

It's bad news on top of bad news for Facebook, which announced the massive incident on Sept. 28. At least 50 million users were affected when attackers exploited a series of bugs in the platform's "View As" privacy feature, which lets people view their own profiles as though they were someone else – a friend, a stranger, etc. The three bugs had been in place for 14 months.

In July 2017, Facebook introduced a new video uploader, which contained the vulnerabilities that made this attack possible. For one, the uploader was not supposed to appear in the "View As" feature, but for some users it was active. When active, the uploader created an access token, which it was not supposed to do. This token was designed for the person a user was trying to view his or her profile as (a friend or stranger, for example), not for the account holder.

The access token serves as a key to keep people logged into their accounts so they don't have to re-enter their credentials every time they use the app. An attacker could exploit the "View As" bugs to gain an access token, then pivot to other accounts and collect more.

There is "a real sort of irony here," says Jeff Pollard, principal analyst at Forrester, in that a set of features designed for privacy became part of this chain of vulnerabilities.

Facebook began to investigate the problem when it noticed an uptick in user logins on Sept. 16. When it detected the bugs, the company alerted law enforcement, fixed the bugs, and reset the access tokens for 90 million accounts – the 50 million compromised, plus 40 million that had used the "View As" feature during the year prior. It also temporarily disabled the "View As" feature.

But much of the damage may have already been done – and we're not even close to fully recognizing the full extent of how many users, and how much of their data, has been affected.

"This is the most severe security breach in the history of Facebook, affecting not just the company but the entire ecosystem around Facebook," says Prabath Siriwardena, vice president of identity management and security for WSO2. "Facebook has worked to address the breach quickly, but until it announces its findings, we won't know how deep the impact is."

Just the Beginning
Guy Rosen, Facebook's vice president of product management, said in a conference call on Friday that attackers may have leveraged Facebook Login to gain access to user accounts for other websites and applications. Facebook Login lets people use their Facebook usernames and passwords to register for and access different sites and services.

The feature was designed for convenience, not security, as it uses a person's Facebook profile to verify his or her identity for accounts across the Web. If Facebook gets hacked, all the accounts that rely on Facebook for authentication are compromised as well.

"Facebook seems like it might be less affected than services that used Facebook for their logins," Pollard says. "If the access token was compromised, the companies using Facebook Login could have more things done to them than Facebook itself."

Account information could have been changed, he explains, or transactions could have been made without the user's knowledge. If Facebook Login is used for several services, the risk of an attacker compromising multiple accounts is higher. This also puts pressure on third-party apps and services to make sure nothing happened to users and to notify them if something did.

"It's a nightmare from a notification and third-party risk perspective," Pollard adds. Businesses should understand which accounts were engaged and ensure no financial fraud was committed.

What would the attackers' motivation be here?

"The only parties that would be interested in Facebook data are advertisers or nation-states trying to undermine or influence or change things in different countries," points out Avivah Litan, Gartner vice president and distinguished analyst. Financially motivated cybercriminals don't need to seek out information like birthdates or Social Security numbers, she continues. It's all available to them on the Dark Web, the result of several major security breaches.

To breach Facebook "would be overkill" for financially driven attackers. They won't find credit card numbers, financial records, or credit reports on Facebook.

What Can You Do?
For starters, steer clear of the Facebook Login feature. It can't be trusted, Litan says, and this breach is a perfect example of why. "[Attackers] can get everything ... they have your credentials, so they can log in as you," she says.

WSO2's Siriwardena recommends all confirmed or potentially affected users should check their privacy settings and credential recovery options both in Facebook and in other connected apps. There could be many, he adds, depending on how many apps logged into using Facebook Login.

Forrester's Pollard recommends businesses view the Facebook breach as a warning. "Any company has to look at Facebook and realize if someone is determined to get in, they often can," he says. Businesses should take a close look at their notification and incident-response practices.

There's also an application security component worth bearing in mind, Pollard adds.

"More and more companies are relying on software to make money, to engage with customers," he explains. "You have to prioritize application security and recognize all the code you use is a big part of your attack surface."

No matter how strong your engineering team is, a clearly defined process for pushing code changes into production is needed, Siriwardena says. Security reviews must be included throughout the process, from design to development to deployment, and the process must be refined frequently, he adds. One small detail that gets overlooked could result in global effects.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/6/2018 | 9:13:05 AM
Re: thank for share
very well said sir, i appreciate your thinking
User Rank: Apprentice
10/3/2018 | 12:11:12 AM
thank for share
thank for share
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...