Facebook Breach: Attackers Exploited Privacy FeatureAttackers Hacked Three Separate Bugs to Breach 50 Million Accounts
Facebook says that whoever hacked 50 million user accounts, putting the privacy of those users' personal data at risk, did so by abusing a privacy feature (see Facebook Submits GDPR Breach Notification to Irish Watchdog).
The social media giant says its investigation into the breach is ongoing. But security researchers say that this is the rare breach that might actually deserve to be labeled as "sophisticated."
"Anyone involved in this hack knew what he was doing," Lukasz Olejnik, an independent cybersecurity and privacy researcher, tells the Guardian.
Facebook says the attackers behind the breach abused its "View As" privacy feature. The feature is intended to enable a user to see how their account looks to everyone else.
Stolen: Access Tokens
The attack enabled a hacker to obtain an access token, which Facebook users can utilize to authenticate to multiple services in the background.
Here's how: Once a user logs in to Facebook, for example, by using a password and login approval, which is Facebook-speak for two-factor authentication, these access tokens allow Facebook to maintain a single sign-on experience, such as the Facebook mobile app being able to hand a user off to a browser to view linked content.
"This vulnerability was discovered by hackers, and the way they exploited it is not just finding this vulnerability and using it to get an access token, but then every time they have an access token pivoting from that to other accounts, other friends of that user to get further access tokens," Guy Rosen, Facebook's vice president of product management, said in a Friday press briefing.
Facebook says it discovered the attack on Tuesday. So far, it's not clear when the breach began, although it may date from last July.
- July 2017: Facebook adds new video upload functionality that contains three separate bugs.
- Sept. 16, 2018: After seeing unusual activity, Facebook launches an investigation.
- Sept. 25: Facebook confirms attack and identified vulnerability.
- Sept. 26: Facebook fixes vulnerability and begins resetting access tokens for affected accounts, meaning they will be logged out and have to log back in again to their accounts.
- Sept. 28: Facebook issues first public breach notification, saying 50 million accounts were hacked by an unknown attacker or group of attackers. But it says its investigation remains ongoing.
Three Bugs in Video Uploader
Whoever hacked Facebook by abusing the "View As" feature successfully targeted three separate bugs in Facebook's video-uploading functionality.
Rosen said the first bug was that the video uploader shouldn't have shown up when using "View As," but in some cases it did, such as when Facebook asked a user if they wanted to wish someone else a happy birthday.
"The second bug was that this video uploader incorrectly used SSO - that single sign-on product - to generate an access token that had the permissions of the Facebook mobile app. That's not how SSO was intended to be used on our platform," he said.
The third and final bug was that when the video uploader did show up as part of "View As" (see the first bug) it would generate an access token (see second bug) not for the user but for the profile of the user they were viewing.
"It's the combination of these three bugs that created a vulnerability," Rosen said.
"As a precautionary measure, even though we believe we've fixed the issue, we're temporarily taking down the [View As] feature that had the security vulnerability until we can fully investigate it and make sure there are no other security issues with it," Facebook CEO Mark Zuckerberg said on Friday.
Rosen said the company invalidated the access tokens for the 50 million targeted users, as well as for 40 million other users for which the "View As" feature was used.
Hackers Often Target Multiple Flaws
Chaining together multiple bugs to create a working exploit is also common, and it figures heavily in researchers' bug-bounty reports as well as such competitions as Trend Micro's Pwn2Own contest, in which contestants attempt to exploit widely used software and mobile devices with previously unknown vulnerabilities.
Historically, targeting specific flaws in a row is how researchers hacked various versions of the iPhone. First, they would exploit one vulnerability - often in the WebKit browser engine used in Apple's Safari browser and other software. Then, they would build on that by targeting other flaws.
Suspect: Nation-State Attackers
In the case of the Facebook breach, had the flaws been reported directly to the social network, they could have generated a sizeable bug bounty. So the attacker or attackers behind the hack appeared to have other intentions.
"This Facebook data is mainly useful to either advertisers or nation-states," Avivah Litan, vice president at Gartner Research, told Information Security Media Group. "I doubt advertisers hacked Facebook, so I imagine this is the work of a nation-state building out its population maps for citizenry of various countries."
What makes this breach so potentially devastating is that attackers may also have abused Facebook Social Login, which allows anyone who is logged into Facebook to automatically carry their single sign-on through to a number of other sites, including Facebook's Instagram, as well as Tinder and many other sites. By stealing working access tokens, attackers could have automatically mined not just 50 million Facebook users' accounts, but any other account or service for which they allowed Facebook's SSO functionality to work.
More bad news: Jake Williams, principal consultant at information security consultancy Rendition Infosec, say it's possible the full extent of the breach will never be known because of this single sign-on functionality.
I doubt we'll never know the full impact of the Facebook access token breach. I seriously doubt Facebook has enough logging for third party sites to reach back to mid-2017 when the vulnerable feature was deployed.— Jake Williams (@MalwareJake) October 1, 2018
"I seriously doubt Facebook has enough logging for third party sites to reach back to mid-2017 when the vulnerable feature was deployed," Williams says via Twitter.