On Friday, 28^th September, 50 million Facebook accounts were compromised. Many users reported being logged out of their accounts to savage any exploits. Although most users are only finding out about the news now, this breach has been under investigation since September 16^th; almost two weeks ago. It was at this time period that an abnormally large number of users were reported to access Facebook. This spike drew the attention of Facebook’s engineering team. Unfortunately, it was not until September 25^th that the team discovered the cause of the spike and could start taking necessary action. (Matsakis & Lapowsky, 2018)

The attackers managed to find flaws with the “View As” feature which allows users to view their profile as if they were other people (either friends or the public). The attackers not only found one vulnerability in Facebook’s security, but they managed to find three. (Perez & Whittaker, 2018) This is what made it possible for the attackers to gain access to user accounts. What was particularly worrying is that the attackers gained access to the accounts directly. To understand how the attackers managed to gain access to these Facebook accounts, we must first understand the “View As” feature.

The “View As” feature allows a user to take a glimpse of how their profile appears in the eyes of their Facebook friends and the general public. A user can choose a specific user or opt for the general public. What is ironic is that users rely on the “View As” feature for privacy purposes, to understand what information from their profile is public. When a user is logged on and chooses the “View As” feature, a request is sent on their behalf and makes use of access tokens to ensure that the user has privileges and access rights to the account in question. These access tokens are similar to digital keys in cryptography. Users of the Facebook Graph API would be quite familiar with the format of these requests where certain checks are placed. (Lee, 2018)

These access tokens are used on a daily basis so that users can remain in their ‘keep me logged on’ state on different devices without having to sign in each time. There are different types of access tokens which define the duration of validity. As of July 2017, a new video-uploading piece of software was added to Facebook to allow users to upload videos with ease. Facebook’s Vice President of product management, Guy Rosen, spoke to reporters to explain the nature of the flaws found. (Perez & Whittaker, 2018)

It was detected that the video uploader tool would sometimes erroneously appear when the user is accessing the “View As” feature. The second flaw was that the access token of the person the user chose to “View As” was exposed as a result. The attacker could then make use of the access token (which had the same permissions as the mobile-app sign in of the user) to log into the user’s account as if it were their own, without the need to have the user’s password. (Perez & Whittaker, 2018) Thus, changing your password would not aid in prevention from these attacks.

Facebook has stated they have fixed the security vulnerability, currently disabling the “View As” feature completely until further investigation has revealed additional information on the nature of the attack and the identity of the attackers. Although Mark Zuckerberg is claiming that no accounts have been detected as being directly compromised and rather the attackers have obtained general user information of the users of whom they have gained access to their access tokens, until further investigation has thoroughly taken place, it is difficult to ensure that user accounts are safe and that no accounts had been compromised. (Perez & Whittaker, 2018)

Apart from fixing the vulnerability and disabling the “View As” feature, several users have reported being logged out of their Facebook accounts on Friday. This is a measure taken by Facebook to reset user access tokens. 90 million users’ access tokens have been reset as a result; 50 million accounts which had been attacked and another 40 million as a safe measure. In order to view where the accounts have been accessed, users are encouraged to check their account’s security and login page. It is still unclear whether Whatsapp and Instagram accounts have been compromised as an effect. (Perez & Whittaker, 2018)

Facebook CEO Mark Zuckerberg tries to reassure users of Facebook’s seriousness in the case. As a result of this security breach, Facebook stocks have fallen by 5% to $162.57 per share (which is around $13 billion in value) and down by 9% in total throughout the year. (Kelleher, 2018) The last major Facebook security breach is known as the Cambridge Analytica Scandal. (Bloomberg, 2018) Although Facebook is doing their utmost to protect user privacy, it is always recommended that the users are conscious of the data they post onto their profiles and understand that there is always an element of risk involved.

 

References

Bloomberg. (2018, April 10). Facebook Cambridge Analytica Scandal: 10 questions answered. Retrieved from Fortune: http://fortune.com/2018/04/10/facebook-cambridge-analytica-what-happened/

Kelleher, K. (2018, September 28). Facebook loses around $13 billion in value after data breach affects 50 million of its users. Retrieved from Fortune: http://fortune.com/2018/09/28/facebook-stock-falls-after-security-breach/

Lee, D. (2018, September 29). Facebook security breach: Up to 50m accounts attacked. Retrieved from BBC : https://www.bbc.com/news/technology-45686890?ns_source=facebook&ns_mchannel=social&ns_campaign=bbcnews&ocid=socialflow_facebook

Matsakis, L., & Lapowsky, I. (2018, September 28). EVERYTHING WE KNOW ABOUT FACEBOOK’S MASSIVE SECURITY BREACH. Retrieved from Wired: https://www.wired.com/story/facebook-security-breach-50-million-accounts/

Perez, S., & Whittaker, Z. (2018, September 28). Everything you need to know about Facebook’s data breach affecting 50M users. Retrieved from TechCrunch: https://techcrunch.com/2018/09/28/everything-you-need-to-know-about-facebooks-data-breach-affecting-50m-users/