Hackers exploit Facebook security flaw, affecting 50 million users

The engineering team at Facebook Inc. has discovered and fixed a security issue affecting almost 50 million users that exploited a vulnerability in the social media site’s “View As” feature.

“Our investigation is still in its early stages,” Guy Rosen, vice president of product management at Facebook, said in a public announcement today. “But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As.’”

The issue comes at a bad time for Facebook, which has had repeated problems with privacy and data protection issues in recent years, sparking new regulations in Europe and California and likely more to come at the federal level.

“The big names in tech might hope for more lenient regulations, but this breach makes that less likely,” Brian Vecci, technical evangelist at data protection and analytics firm Varonis Systems Inc., said in an email. “The takeaway for consumers should be that we’re glad rules like GDPR and the California Consumer Privacy Act are there — they’re designed to protect us. The takeaway for companies should be that these kind of regulations are the future and new normal.”

Lawyers are already circling, too. A class action lawsuit was filed Friday in U.S. District Court for the Northern District of California. Facebook’s shares fell 2.6 percent today on a flat day for the overall markets.

The “View As” function on Facebook allows users to see what their own profile looks like to someone else. With this feature, it’s possible to better understand layout and privacy features in order to give users a practical display as to how profile appears to a specific person.

According to Rosen, the vulnerability allowed attackers to steal “access tokens” from users that could then be used to take over people’s accounts. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen said.

The security breach was discovered Tuesday afternoon by Facebook’s engineering team and steps have been taken swiftly to address the situation. In response to this discovery, Facebook fixed the vulnerability and proceeded to immediately inform law enforcement of the breach.

To protect the security of users who may have been affected by this breach, Facebook also reset the access tokens of the almost 50 million users discovered to have been exposed to the attack. Going a step further, the team also reset the access tokens of another 40 million accounts that have been subject to “View As” lookups in the past year.

As a result, more than 90 million people will have needed to log back into Facebook to reset their security credentials. This reset will affect not just Facebook sessions, but also any app that uses Facebook credentials to permit users access. Finally, Facebook is temporarily disabling the “View As” functionality while a thorough security review takes place.

“This attack exploited the complex interaction of multiple issues in our code,” Rosen said. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted ’View As.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

Since the investigation is still in its beginning stages, Rosen explained, it’s still unknown whom the attackers are and what their intentions were. He also added that if the investigation uncovers further accounts that have been affected by this exploit, their access tokens will also be immediately reset.

“The takeaway is simple,” Adam Levin, founder and chairman of identity protection firm CyberScout LLC and author of “Swiped,” said in an email. “Any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process. The traditional ‘patch and pray’ approach to cybersecurity is obsolete. An effective vulnerability management program is crucial.”

Justin Fier, director of cyber intelligence & analysis at cybersecurity firm Darktrace Ltd., noted in an email that attacks such as this are getting so complex that artificial intelligence-based tools — which, not surprisingly, Darktrace provides — are becoming critical to battle hackers.

“In order to bypass Facebook’s security controls without raising alarm bells, this attack would have had to be complex, sophisticated and stealthy,” he said. “Complex attacks have many moving parts that often appear as individual, subtle anomalies hiding within the noise of the network. Attacks like this will only continue to threaten our organizations, and we have to assume that it will only get harder and harder to detect.”

Users who have not reset their access tokens can also take a precautionary measure of fully logging themselves out of Facebook by visiting the “Security and Login” section in their settings.

Gary Davis, chief consumer security evangelist at security firm McAfee, advised additional moves to protect security: Change passwords for Facebook and other sites using the same password immediately, using numbers, symbols and random capital letters to make it stronger; use two-factor authentication; update apps and software; and invest in identity theft monitoring services — which McAfee not coincidentally provides.

With reporting from Robert Hof

Image: Megapixel

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.