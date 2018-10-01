Details on the latest Facebook hack

The latest Facebook security breach was the result of three separate bugs that have opened tens of millions of accounts to scrutiny by cyber-attackers.

Attackers exploited a vulnerability in the website’s code, says ESET data protection officer Drew van Vuuren.

“It specifically impacted ‘View As’, which is a feature that lets users see what their own profile looks like to others,” he says.

Van Vuuren explains that there were three bugs identified with this feature.

The three bugs related specifically to a re-design of the video uploader tool used to upload videos to the application. The first bug occurs when using View As, the video uploader tool shouldn’t have shown up at all but on specific posts encouraging people to post happy birthday greetings, it did show up.

The second bug was that the video uploader incorrectly used Facebook’s single sign-on functionality, and generated an access token for the mobile application.

The third bug was that when the video uploader showed up, the access token was generated for not you as the user, but for the user you were looking up.

This was discovered by attackers, who were able to use this system to look up other users and get further tokens.

Hackers used this feature to steal Facebook’s access tokens, Van Vuuren says. “Access tokens are keys that keep you logged into Facebook – so you don’t have to re-enter your password every time you use the application or website.

“Based on this hackers would’ve been able to access Facebook accounts, potentially giving them access to a users’ entire profile as well their private messages.”

He explains that the attack exploited the complex interaction of multiple issues in the code which stemmed from a change Facebook made to the video uploading feature in July 2017, which impacted the ‘View As’ functionality.

“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

Facebook says it’s “only just started our investigation”, so it can’t confirm whether your account was “misused or any information accessed”.

The company also admits that it’s clueless about who the hackers are, Van Vuuren adds.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” says Facebook’s Guy Rosen.

“We also don’t know who’s behind these attacks or where they’re based.

“We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.

“In addition, if we find more affected accounts, we will immediately reset their access tokens.”

Facebook says there was no evidence private message had been accessed, but that hackers were able to “use [accounts] as if they were the account holder”.

The company also told reporters that no credit card information had been taken.

“Details are still unclear but it doesn’t appear as though users password would’ve been included in any breached information,” Van Vuuren says.

“Attackers may have been able to log on as a user and browse their profile (and potentially even their messages), but this wouldn’t give them access to passwords as they would be using the tokens.

“It is still a good idea to change passwords anyway, because hackers may have been able to gather details about individuals and infer passwords that way.”

Chester Wisniewski, principal research scientist at Sophos, comments: “In something as big and complicated as Facebook, there are bound to be bugs.

“The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter.

“As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing,” he adds. “This is why sensitive information should never be shared through these platforms.

“For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”