View profile

Hackers access 50 million Facebook profiles

Revue
 
On Friday morning of Facebook's most tumultuous week in recent memory, the notorious bug-bounty hunte
 
September 28 · Issue #216 · View online
The Interface
On Friday morning of Facebook’s most tumultuous week in recent memory, the notorious bug-bounty hunter Chang Chi-yuan announced an impressive-sounding stunt. On Sunday, Chang promised to hack the personal Facebook page of Mark Zuckerberg, and broadcast it live on his own Facebook page. He had found a bug that would grant him access to Zuck’s account, he said, and he planned to share it with the world.
After his Facebook post on the subject earned global attention, though, he changed his mind. “I am canceling my live feed, I have reported the bug to Facebook and I will show proof when I get bounty from Facebook,” he told Bloomberg.
But before anyone could be too disappointed, Facebook announced a major (and unrelated, it says) vulnerability of its own. And while no one defaced the CEO’s personal page, hackers gained access to at least 50 million accounts. To its credit, Facebook announced its discovery just three days after learning about it. As a result, details about who did the hacking, and what data they made have made off with, remain sketchy.
Two points guide my thinking here. One, breaches often turn out to be worse than originally thought. That seems particularly worth keeping in mind in a situation like this, where the affected company is only three days into its investigation. Two, unlike the extremely weird Cambridge Analytica story, what happened to these accounts is an actual data breach — and, as such, it could result in the first major fine being handed down as a result of Europe’s General Data Protection Regulation (GDPR).
Guy Rosen, a vice president of product management, explained some of the details about this most recent security issue in a blog post. Other details — including the fact that the vulnerability was triggered by allowing users to upload “Happy Birthday” videos — came out during a press call with reports.
The attack, which Facebook discovered on Tuesday, exploited a privacy feature known as “View As,” which lets you see what your own profile looks like to someone else.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
“View As” has been shut down until further notice. A total of 90 million people — the number who used “View As” since the vulnerability was created — will be asked to log in to their accounts again. Victims of the breach will be notified via a banner in the News Feed.
Data breaches are so common that we have become numb to them. I asked my colleague Russell Brandom, who writes about security for us, what mischief you could pull off with full access to someone’s Facebook account. Here are some things of the risks mentioned:
  • A hacker could message your friends saying you’re in trouble and need them to send you money.
  • A hacker could sell your account to another bad actor.
  • A hacker could access your private messages and posts and use them to blackmail you.
The attack relied on a confluence of three separate bugs. Lorenzo Franceschi-Bicchierai and Jason Koebler at Motherboard have a good, succinct explanation of how the attack worked:
The first bug, Rosen explained, caused a video uploader to show up on View As pages “on certain kinds of posts encouraging people to post happy birthday greetings.” Normally, the video uploader should not have showed up. The second bug caused this video uploader to generate an access token that had permission to log into the Facebook mobile app, which is not how this feature “is intended to be used,” according to Rosen.
The final bug, Rosen explained, was that when the video uploader showed up as part of the View As feature, it generated a new access token not for the user, but for the person who they were pretending to be—essentially giving the person using the View As feature the keys to access the account of the person they were simulating. In the example we gave above, this would not only have allowed you to look at John’s profile using the View As John feature, but it also would have generated an access token allowing you to login to and take over John’s account.
Once executed, hackers were sloppy enough that Facebook was able to detect their work simply by noting the large spike in access to user account tokens. Some security pundits believe this could make it less likely that this was a state-sponsored attack. Having gotten this level of access, a state-level actor might have operated in a more targeted fashion, the thinking goes, so as to maximize the time they could spend slurping up data from high-value targets.
Rosen told reporters that the attackers had used Facebook APIs to query basic profile information including user gender and hometown. It’s not immediately clear what that data might be used for. I asked him how, given that hackers had full control over accounts, Facebook would be able to determine which usage was legitimate or illegitimate. Otherwise how could it say no private messages had been accessed? Rosen said that the company will now work to separate illegitimate logins from legitimate ones, and try to disentangle them based on how the user access tokens were acquired.
It’s all going to take a while.
In the meantime, there was yelling. The Irish Data Protection Commission complained about a lack of detail in Facebook’s initial report. The UK Information Commissioner’s Office said it would investigate. In the United States, Rohit Chopra — a Democratic appointee to the Federal Trade Commission tweeted: “I want answers.”
On the press call, a handful of reporters asked Zuckerberg why they should still trust Facebook with their data. He gently deflected the question, saying that Facebook faces attacks every day, and that they took their responsibilities very seriously. What he wouldn’t say is that, over a long enough time horizon, some hackers will always breach your defenses. For Facebook, the job is to prevent as many as possible from happening. For users, it could be a reason to store less data with Facebook.

Democracy
In test case, U.S. fails to force Facebook to wiretap Messenger calls
Under Threat of Regulations, Facebook Increases Lobbying in State Legislatures
Facebook Just Met With Reps From Myanmar, The Philippines, And Sri Lanka To Discuss Its Global Misinformation Problem
Elsewhere
A Majority of Teens Have Experienced Some Form of Cyberbullying
Conspiracy theorist vlogger arraigned for death threats to YouTube employees
Snapchat launches multiple e-commerce ad options in time for holiday shopping
The Goods does a mini-doc on Instagram-friendly pop-up “museums”:
How "Instagram traps" are changing art museums - YouTube
Launches
Reddit updates its quarantine policy with an appeals process
Takes
The case for breaking up Facebook and Instagram
Instagram Is Too Big Not to Mess With
Instagram’s founders quit: how do the influencers feel?
Why Snap will get acquired before 2020, probably by Amazon
John Oliver teed off on Facebook for another 20 minutes this week. It only got 2.5 million views on YouTube. Is he losing his edge?
Facebook: Last Week Tonight with John Oliver (HBO) - YouTube
And finally ...
Dril’s book of tweets shows he’s the best chronicler of the internet
Talk to me
Send me tips, comments, questions, weekend plans: casey@theverge.com.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue