03 Oct, 2018
The last week of September witnessed the biggest security breach of Facebook so far. Facebook disclosed of a massive hack where attackers gained access token of 50 million accounts bypassing security measures and potentially giving them full control of both the profiles and the linked apps. Another 40 million profiles are considered at risk by Facebook.
- According to Facebook, the vulnerability allowed hackers to steal secret access tokens that could then be used to directly access users' private information without requiring their original account password or validating two-factor authentication code.
- Digital keys are normally used to keep users logged in, but this could also give outsiders full control of the compromised accounts. Facebook logged all 90million accounts out in order to reset digital keys the hackers had stolen.
- The flaw was in the site's "view as" and video uploader feature which was exploited to gain access to the account by the bug that forced Facebook to reset access tokens for 50 million users who are affected and those 40million users at risk as a precaution.
- There were 3 distinct bugs thatwere used to accomplish the attack:
- One of the bugs was more than a year old and affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages
- The second bug was in the video uploader that incorrectly generated an access token that had permission to log into the Facebook mobile app, which is otherwise not allowed.
- The third bug was that the generated access token was not for you as the viewer, but for the user that you were looking up, giving attackers an opportunity to steal the keys to access an account of the person they were simulating.
- The hack could have affected third party applications including its own Instagarm app. Company's "Facebook Login" feature lets users log into other apps and websites with their Facebook credentials. This incident, where access tokens were stolen showed when a user is logged into facebook, it is enough to access a user's account on a third party site.
- Though your Facebook account password has not been compromised but that is not a reason you should be relieved. Because, hackers don't need it anymore to access your account. An application or an attacker can use millions of secret access tokens to programmatically fetch information from each account using an API, without actually having your password or two-factor authentication code.
- As the flaw was a year old, it is still not clear how many accounts and what personal information has gone into the hands of hackers before Facebook detected the breach. The vulnerability had left wide open all your personal information including private messages, photos, videos to hackers.
- According to Facebook, it has fixed the vulnerability and notified law enforcement officials. But company officials are still in darkness regarding the identity or the origin of the attackers or even the scope of the attack if particular users were targeted.
- Facebook could face up to $1.63 Billion fine for latest hack under GDPR. GDPR contains recommendations that companies store as little user data as necessary, potentially exposing Facebook to higher liability.
- Facebook shares dropped more than 3% on the news, and it set off another round of news reports that reminded people about Cambridge Analytica, Russian propaganda, Myanmar violence and more.
This incident clearly has caused a crisis of faith on Facebook among people. People are also raising question like, isn't Facebook too irresponsible to be an unquestioned staple of our daily life?