Facebook revealed last week that malicious actors may have obtained access tokens for 50 million accounts after exploiting several bugs related to the “View As” feature and a video uploader introduced last year.
The breach was discovered last week following an investigation triggered by a traffic spike observed on September 16. Facebook says it has patched the vulnerability and there is no evidence that the compromised access tokens have been misused.
The incident, the latest in a series of security and privacy scandals involving the social media giant, could have serious repercussions for Facebook. The company’s stock went down, and it faces probes by government authorities, class action lawsuits, and a fine that could exceed $1.6 billion.
Industry professionals have commented on various aspects of the incident, including GDPR implications, the impact on Facebook and its users, the vulnerabilities exploited by the attackers, and the company’s response.
And the feedback begins…
Jeannie Warner, security manager, WhiteHat Security:
“What the hackers accessed is interesting to me– information about the accounts having to do with user data rather than financial. This really underscores the new value currency of privacy and personally identifiable information, which includes demographics like gender, hometown, name, age (birthdate) and anything else a person has under their ‘About’ tab. After the misuse of personal information by Cambridge Analytica, one starts to speculate that the same information is being harvested for similar militant bot and troll activity online, especially heading toward elections and other significant activities. Sometimes why hackers go in and what is taken can give clues as to who the hackers might be – in this case, I can speculate at a probable nation state or other political group data harvesting operation.
How it was detected is also interesting – user logins increased dramatically last December. Companies looking to assemble evidence of attack or compromise can look at user behavior and traffic patterns changing as evidence of ‘something different’ that requires investigation. The OWASP Top 10 Risks for Web Application Security Risks was updated a month before the traffic pattern was noticed last December 2017, adding a new item: A10 Insufficient Logging and Monitoring. This attack and the length of time it went undetected and verified represents the truth of that rating and inclusion as a major risk.”
Rahul Kashyap, CEO, Awake Security:
“The immediate challenge for Facebook is going to be identifying what accounts were touched, compared to which ones were truly compromised. The 50 million number could change as we often have seen with past breaches. But it is quite likely a subset of those were specifically taken over.
What will be revealing is whether there is a pattern to whose accounts were being targeted, and whether that pattern will help reveal the identity of the attackers. Facebook knows what it knows now, but it there’s always the possibility that attackers were able to get to more information. The large numbers in this breach could just be a decoy if threat actors were targeting specific individuals.”
Eric Sheridan, chief scientist, WhiteHat Security:
“One of the best proactive strategies in reducing the risk of introducing vulnerabilities in applications is the enumeration and systemic adoption of ‘secure design patterns.’ While they may be unique to each organization and perhaps each application, secure design patterns help solidify those code level patterns that developers must adhere to in order to ward off the introduction of exploitable vulnerabilities.
Facebook looks to have been exploited as a result of a Direct Object Reference, whereby an attacker could modify an ‘id’ parameter in order to access unauthorized user information. In this case, a secure design pattern dictating the use of a façade known to enforce data layer security constraints could be adopted to mitigate such vulnerabilities. The adoption of a secure design pattern is not enough, however. We need automation to help enforce the use of the secure design pattern at scale, which presents its own set of challenges.”
Dan Pitman, Principal Security Architect, Alert Logic:
“New features increase the risk that vulnerabilities like this can become part of the live application and Facebook are known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.
This ‘continuous delivery’ of new features combined with the modular nature of that delivery increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge. The applications are made up of components built by different developers at different times working based on older best practices, all of this means that vulnerabilities are an inevitability. In Facebook’s case there will be people working hard to identify flaws in both trenches and this time the attackers got there first.”
Matthew Maglieri, CISO, Ashley Madison:
“These types of incidents serve as a reminder that no organization is immune to cyber threats. Facebook is at the forefront of web application security and have an incredibly talented team dedicated to protecting the security and privacy of their users.
As a professional who has worked with companies around the world to enhance and build their cybersecurity programs, I would say that we need to learn from incidents like these and not rush to judge companies like Facebook.
And while we must hold each other accountable for these incidents, we also need to help each other up, to avoid belittling our peers who have gone through the worst, and to share what we know so that others can improve. If we don’t, we’ll only be preventing the open and honest dialogue necessary for our collective success.”
Pravin Kothari, CEO, CipherCloud:
“The real $50 million dollar question is who did this impact, exactly? Do any of those 50 million customers impacted reside in the European Community? If so, will this fall under GDPR and how will it be treated? Enforcement
of GDPR will come from the Information Commissioner’s Office (ICO). What will their reaction be? Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted. Not knowing all of the detail of when the breach was discovered, who, exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today. We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”
Dr. Richard Ford, Chief Scientist, Forcepoint:
“First, I think it’s great that Facebook appears to have reacted so quickly, as it’s a sign of the growing maturity around breach response that we’re starting to see as GDPR comes into effect. Understanding if there was a pattern to the impacted accounts versus just random selection is the difference between someone trying to hack the system for fun or a coordinated nation-state attack that compromises specific users to ultimately gain access to sensitive data.
This breach illustrates a fundamental truth of the new digital economy: when I share my personal data with a company I am putting my trust in your ability to protect that data adequately. Users need to continually evaluate the type of data they share and the potential impact a breach of that data could cause, to become an active participant in protecting their own online identities. On the other side, companies need to avail themselves of proactive technologies such as behavioral analysis to hold up their end of the bargain.”
Greg Foss, senior manager of Threat Research, LogRhythm:
“The view-as feature within Facebook’s platform, while well-intentioned, is difficult to implement programmatically, in that you are viewing your account as another individual – essentially a light version of account impersonation. When implemented properly, you’re given a specific view of an account based on what is programmatically known about the account you’re viewing from.
Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles. It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.
If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”
Chester Wisniewski, Principal Research Scientist, Sophos:
“In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter.
As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”
Adam Levin, Founder, CyberScout:
“Facebook has had a hard year, and it just got worse. In a world dominated by trillion-dollar advertising platforms consisting of multi-billion member communities, 50 million users may no longer seem like a big deal, but it is. The number of people affected by this breach is roughly equal to the entire population of the west coast of the United States. Just because you are secure at 9:01 does not mean that will still be the case at 9:02. The latest Facebook breach was caused by an upgrade. The takeaway is simple: Any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process. The traditional “patch and pray” approach to cybersecurity is obsolete. An effective vulnerability management program is crucial.”
Satya Gupta, chief technology officer and co-founder of Virsec:
“While the “View As” feature sounds like a useful way to see what your profile looks like to your ex-girlfriend, it was clearly built without thinking through security. Instead of just seeing through someone else’s eyes, Facebook essentially lets you borrow their identity. Armed with someone else’s access token you can get to lots of private and highly privileged information. In addition, millions of people use their Facebook ID (authenticated through their access tokens) to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private. Facebook claims to not know what these 50 million access tokens are being used for, you can bet that the thieves have found them to be very valuable.
These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes. It’s a bad idea to let users stay logged on indefinitely while there is no activity. Many people will open a Facebook browser tab and not close it for hours or days while doing other things. If you’re logged into your banking site and are inactive for more than a few minutes you are automatically logged off and need to re-authenticate. This is a small burden for users and a no-brainer for security. There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior.”
Dawn Song, CEO, Oasis Labs:
“Today’s breach confirms a critical trend–it’s nearly impossible for major tech companies to protect data with existing technologies. It’s time to start looking at new solutions like blockchain to defend user privacy.”