Things get ‘seriously’ insecure yet again for Facebook
Facebook CEO Mark Zuckerberg has had to use variations of the word “serious” a lot over the past year—most notoriously regarding the social media giant’s sale of member data to Cambridge Analytica, which was viewed as affecting the 2016 presidential election.
He had to use it again, and not in a good way, on Friday when the company announced that at least 50 million, and possibly as many as 90 million, accounts had been compromised by hackers exploiting a zero-day flaw in code related to Facebook’s “View As” feature, which lets users see what their profiles look like to others. The idea is to let users control what other people can see.
“This is a really serious security issue and we’re taking it really seriously,” Zuckerberg told reporters on a media call.
In other words, the accounts of those who have used the “View As” feature since July 2017 should probably be “viewed as” hacked.
What they stole and what to do
The vulnerability allowed hackers to steal Facebook access tokens, which they could use to take over people’s accounts.
Those tokens amount to digital keys that keep people logged into Facebook so they don’t need to re-enter their password every time they use the app. Which is another example showing that in some cases, convenience comes at a cost.
It also means those whose accounts were compromised need to worry about more than just their Facebook accounts. Tim Mackey, technical evangelist with Synopsys, noted, “It’s worth highlighting that access tokens are the equivalent of a username and password combination used by applications to authenticate against other applications.
“If you’ve ever used a Facebook login button on a website, now would be an excellent time to review your App Settings, to see which applications and games you’ve granted access rights to within Facebook,” he said.
Facebook data breach basics
The details of the breach so far are sketchy, since virtually all of them are coming from Facebook itself, which is in the “early stages” of an investigation that began after the discovery on Sept. 25. But here are the fundamentals, laid out in a blog post by Guy Rosen, vice president of product management:
- The vulnerability stemmed from a change the company made to its video uploading feature in July 2017 that affected “View As.”
- While there is no overt declaration of the hackers being insiders, Rosen noted, “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.” Rosen acknowledged in a press call, “It’s important to say—the attackers could use the account as if they were the account holder.”
- Facebook does not know who is behind the attacks or their location.
- The vulnerability—three vulnerabilities chained together, actually—have been fixed.
- The company has reset the access tokens of close to 50 million accounts it knows were affected. Also, as a “precaution,” it reset access tokens for another 40 million accounts that had a “View As” lookup in the last year. Those people will have to log back into Facebook, or any of their apps that use Facebook Login.
- The “View As” feature has been turned off.
- The company said there is no need for users to reset their passwords.
- Facebook is working with both the FBI and law enforcement to investigate the breach.
The danger of design flaws
As a percentage of Facebook users, the scope of the breach isn’t all that significant. Out of roughly 2 billion total users, 50 million is only 2.5%. Even if all 90 million potentially breached accounts were affected, that’s just 4.5%.
But it prompted Sen. Mark Warner, D-Va., co-chair of the Senate Cybersecurity Caucus, to call for a full congressional investigation of the incident. In a statement to Gizmodo, he noted the “dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.”
And Gary McGraw, vice president of security technology at Synopsys, noted that this breach is just one in a seemingly unending string of them that are enabled by insecure software.
“Another day, another software problem that leads to security disaster,” he said.
“Getting software security right is difficult, but not impossible. This breach emphasizes just how important software security is, and how subtle solid security engineering can be.
“When a feature like ‘View As’ can be turned on its head into an exploit, it indicates a design problem. Design flaws like this lurk in the mind-boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built,” he said.
Design flaws account for 50% of software vulnerabilities.
What defects are hiding in your architecture and design?
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/facebook-data-breach-seriously-insecure/