Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:45 PM
Connect Directly

When Facebook Gets Hacked, Everyone Gets Hacked

Facebook's attackers may have gained access to several third-party apps and websites via Facebook Login.

Facebook's massive security breach took a turn for the worse last week when the company confirmed attackers may have gained access to third-party applications and websites that allow users to authenticate via Facebook Login.

It's bad news on top of bad news for Facebook, which announced the massive incident on Sept. 28. At least 50 million users were affected when attackers exploited a series of bugs in the platform's "View As" privacy feature, which lets people view their own profiles as though they were someone else – a friend, a stranger, etc. The three bugs had been in place for 14 months.

In July 2017, Facebook introduced a new video uploader, which contained the vulnerabilities that made this attack possible. For one, the uploader was not supposed to appear in the "View As" feature, but for some users it was active. When active, the uploader created an access token, which it was not supposed to do. This token was designed for the person a user was trying to view his or her profile as (a friend or stranger, for example), not for the account holder.

The access token serves as a key to keep people logged into their accounts so they don't have to re-enter their credentials every time they use the app. An attacker could exploit the "View As" bugs to gain an access token, then pivot to other accounts and collect more.

There is "a real sort of irony here," says Jeff Pollard, principal analyst at Forrester, in that a set of features designed for privacy became part of this chain of vulnerabilities.

Facebook began to investigate the problem when it noticed an uptick in user logins on Sept. 16. When it detected the bugs, the company alerted law enforcement, fixed the bugs, and reset the access tokens for 90 million accounts – the 50 million compromised, plus 40 million that had used the "View As" feature during the year prior. It also temporarily disabled the "View As" feature.

But much of the damage may have already been done – and we're not even close to fully recognizing the full extent of how many users, and how much of their data, has been affected.

"This is the most severe security breach in the history of Facebook, affecting not just the company but the entire ecosystem around Facebook," says Prabath Siriwardena, vice president of identity management and security for WSO2. "Facebook has worked to address the breach quickly, but until it announces its findings, we won't know how deep the impact is."

Just the Beginning
Guy Rosen, Facebook's vice president of product management, said in a conference call on Friday that attackers may have leveraged Facebook Login to gain access to user accounts for other websites and applications. Facebook Login lets people use their Facebook usernames and passwords to register for and access different sites and services.

The feature was designed for convenience, not security, as it uses a person's Facebook profile to verify his or her identity for accounts across the Web. If Facebook gets hacked, all the accounts that rely on Facebook for authentication are compromised as well.

"Facebook seems like it might be less affected than services that used Facebook for their logins," Pollard says. "If the access token was compromised, the companies using Facebook Login could have more things done to them than Facebook itself."

Account information could have been changed, he explains, or transactions could have been made without the user's knowledge. If Facebook Login is used for several services, the risk of an attacker compromising multiple accounts is higher. This also puts pressure on third-party apps and services to make sure nothing happened to users and to notify them if something did.

"It's a nightmare from a notification and third-party risk perspective," Pollard adds. Businesses should understand which accounts were engaged and ensure no financial fraud was committed.

What would the attackers' motivation be here?

"The only parties that would be interested in Facebook data are advertisers or nation-states trying to undermine or influence or change things in different countries," points out Avivah Litan, Gartner vice president and distinguished analyst. Financially motivated cybercriminals don't need to seek out information like birthdates or Social Security numbers, she continues. It's all available to them on the Dark Web, the result of several major security breaches.

To breach Facebook "would be overkill" for financially driven attackers. They won't find credit card numbers, financial records, or credit reports on Facebook.

What Can You Do?
For starters, steer clear of the Facebook Login feature. It can't be trusted, Litan says, and this breach is a perfect example of why. "[Attackers] can get everything ... they have your credentials, so they can log in as you," she says.

WSO2's Siriwardena recommends all confirmed or potentially affected users should check their privacy settings and credential recovery options both in Facebook and in other connected apps. There could be many, he adds, depending on how many apps logged into using Facebook Login.

Forrester's Pollard recommends businesses view the Facebook breach as a warning. "Any company has to look at Facebook and realize if someone is determined to get in, they often can," he says. Businesses should take a close look at their notification and incident-response practices.

There's also an application security component worth bearing in mind, Pollard adds.

"More and more companies are relying on software to make money, to engage with customers," he explains. "You have to prioritize application security and recognize all the code you use is a big part of your attack surface."

No matter how strong your engineering team is, a clearly defined process for pushing code changes into production is needed, Siriwardena says. Security reviews must be included throughout the process, from design to development to deployment, and the process must be refined frequently, he adds. One small detail that gets overlooked could result in global effects.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/6/2018 | 9:13:05 AM
Re: thank for share
very well said sir, i appreciate your thinking
User Rank: Apprentice
10/3/2018 | 12:11:12 AM
thank for share
thank for share
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.