Insight, Technology

New Facebook security mishap: what you need to know

Facebook reported its worst security breach ever. TahawulTech.com spoke to several security experts who shared insights about the latest cyber incident and advice on how users can be safe online.

Last week, Facebook disclosed that hackers stole digital login codes allowing them to assume control over nearly 50 million user accounts in its worst security breach.

However, unlike the Cambridge Analytica scandal, in which a third-party company erroneously accessed data that a then-legitimate quiz app had syphoned up, this vulnerability allowed attackers to directly take over user accounts.

In a public posting on Facebook, CEO Mark Zuckerberg confirmed the data breach and said, “We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”

The breach enabled attackers to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook.

The bugs that enabled the attack have since been patched, according to Facebook.

According to the company, the attackers could see everything in a victim’s profile, although it’s still unclear if that includes private messages or if any of that data was misused.

As part of that fix, Facebook automatically logged out 90 million Facebook users from their accounts Friday morning, accounting both for the 50 million that Facebook knows were affected, and an additional 40 million that potentially could have been.

Facebook also confirmed that third-party sites that those users logged into with their Facebook accounts could also be affected.

The uncovered bug prompted Facebook’s video upload tool to mistakenly show up on the “View As” page. The second one caused the uploader to generate an access token—what allows you to remain logged into your Facebook account on a device, without having to sign in every time you visit—that had the same sign-in permissions as the Facebook mobile app. Finally, when the video uploader did appear in “View As” mode, it triggered an access code for whoever the hacker was searching for.

“To protect people’s accounts, we’ve fixed the vulnerability,” said Pedro Canahuati, VP Engineering, Security and Privacy. “We have also reset the access tokens of the almost 50 million accounts we know were affected and we’ve also taken the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a View As look-up in the last year. Finally, we’ve temporarily turned off the View As feature while we conduct a thorough security review.”

Facebook has also advised all impacted users to take the necessary steps to ensure that your Facebook account is secured.

Here’s what some of the security industry’s experts have to say about the latest breach and what users can do to secure their accounts:

Chester Wisniewski, Principal Research Scientist, Sophos

“In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorisation tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter. As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why a sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”

Dr. Richard Ford, Chief Scientist, Forcepoint

“First, I think it’s great that Facebook appears to have reacted so quickly, as it’s a sign of the growing maturity around breach response that we’re starting to see as GDPR comes into effect. Understanding if there was a pattern to the impacted accounts versus just random selection is the difference between someone trying to hack the system for fun or a coordinated nation-state attack that compromises specific users to ultimately gain access to sensitive data.

This breach illustrates a fundamental truth of the new digital economy: when I share my personal data with a company I am putting my trust in your ability to protect that data adequately. Users need to continually evaluate the type of data they share and the potential impact a breach of that data could cause, to become an active participant in protecting their own online identities. On the other side, companies need to avail themselves of proactive technologies such as behavioral analysis to hold up their end of the bargain.”

 

Kalle Bjorn, Director, Systems Engineering, Fortinet

“There isn’t much the users can do themselves about such breaches. However, making sure that they use complex passwords and never using the same password in multiple services is important and will help. There are a lot of services and applications that allow users to login using Facebook authentication, which can make it possible for other account to be used as well. By using separate accounts and not the Facebook login, users would improve security. So, even in an event like the Facebook breach, their potentially compromised details cannot be used anywhere else. Users can of course put pressure on companies offering services to put in place better security. Two-factor authentication, for example, would help ensure that compromised passwords alone cannot be used to access the site.”

Mohammed Amin Hasbini, Senior Security Researcher, Kaspersky Lab

“There are several steps users can take to make sure that data on their social media accounts are secured. Firstly, it is important to always do a check-up on the security settings of every social network you use; it would also be ideal to secure your primary email which is tied to the majority of your online accounts, such as banking services and other important sites; thirdly, be very careful when you post any scans and photos online, especially when it comes to IDs, tickets and billing documents; avoid using open WiFi networks; and lastly, avoid unreliable passwords and try not to use the same passwords for different accounts.”

 

Nicolai Solling, CTO, Help AG

“According to Facebook, it is not a breach but a misuse of authentication tokens. There is a slight difference as the latter means the attacker will not have access to your password but would be able to impersonate you on Facebook-related services.

This latest security issue highlights a change in the way attacks are being directed. It is evident that attacks on our identity or the identity service- in this example Facebook- are becoming a focal area for attackers.

Understanding therefore that identity is at the forefront of attackers’ focus, the providers need to build more secure services, and in parallel consumers must maintain a high level of responsibility and follow best practices, which include: always use a unique password as password reuse is simply not acceptable; ensure that the password cannot be easily cracked by using special characters and a strong password policy; and finally, use the multi-factor authentication features available in most of the well-established platforms.”

 

Mohammad Jamal Tabbara, Senior Systems Engineer – UAE and Channel, Infoblox

“Facebook said that malicious hackers have exploited a vulnerability in the website’s code related to the ‘View As’ feature, aimed to let a user see how his/her profile looks like to other users. Using this vulnerability in this portion of the code, malicious hackers were able to steal the ‘access tokens’ that allows users to stay logged in on their account, hence hackers where able to take over the accounts and able to view all commutations done through the platform.

A couple of best practices that users can follow include: change your password and enable two-factor authentication, such that users would need to approve, via their phones using either Google Authenticator or Duo, the log-in process to the account despite issuing the correct password.”

Previous ArticleNext Article

GET TAHAWULTECH.COM IN YOUR INBOX

The free newsletter covering the top industry headlines