Facebook’s Latest Data Incident Unleashes New Concerns
Depending on the findings, Facebook could be fined more than $1 billion.
This latest incident follows public and congressional heat following the March 2018 reporting that data analysis firm Cambridge Analytica acquired and used data of, at last count, 87 million Facebook users; and reports this past summer that Facebook is working with several financial institutions to incorporate customers’ personal financial data, including credit and debit card transactions and checking account balances, to extend the Facebook’s footprint.
The newest incident differs from the Cambridge Analytica situation. In this event, according to Facebook, attackers could see everything in a victim’s profile. “We were able to fix the vulnerability and secure the accounts, but it definitely is an issue that it happened in the first place.” Mark Zuckerberg said in a statement.
As part of that fix, Facebook automatically logged out 90 million Facebook users from their accounts. Later, the social network also confirmed the incursion could affect third-party sites using Facebook logins.
The social network says its investigation into the breach began on September 16, when it noticed an uncommon spike in users accessing Facebook. On September 25, the company’s engineering team discovered hackers exploiting bugs related to a Facebook “View As” feature that lets people see what their own profile looks like to someone else.
Pravin Kothari, CEO of the San Jose, Calif.-based CipherCloud, said “The hackers exploited three separate vulnerabilities which allowed hackers access to approximately 50 million user tokens. User tokens allow users to stay logged into the service without re-entering their password.” Attackers can access the accounts if the token remains active. “Facebook, of course, deleted the tokens upon discovery of the breach and as user’s login again their tokens will be refreshed.”
Kothari added. “The real $50 million-dollar question is who did this impact, exactly? Do any of those 50 million customers impacted reside in the European Community? The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”
Ireland’s Data Protection Commission, described as Facebook’s lead privacy regulator in Europe, could fine Facebook as much as $1.63 billion for the data breach.
Satya Gupta, co-founder and CTO at San Jose, Calif.-based Virsec asserted, the ‘View As’ feature was clearly built without thinking through security. “Instead of just seeing through someone else’s eyes, Facebook essentially lets you borrow their identity.” Armed with someone else’s access token cybercriminals get lots of private and highly privileged information. In addition, Gupta said millions of people use their Facebook ID (authenticated through their access tokens) to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private.
“These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes,” Gupta noted. “It’s a bad idea to let users stay logged on indefinitely while there is no activity. If you’re logged into your banking site and are inactive for more than a few minutes you are automatically logged off and need to re-authenticate.”
Ameya Talwalkar, chief product officer and co-founder of Mountain View, Calif. based Stealth Security suggested, this breach could have long-term ripple effects. “This means there are up to 90 million new leaked credentials out there in the market. We expect a significant increase in credential checking or password list attacks at other large online properties in the coming days. This will result in increased number of accounts compromised overall, which will ultimately lead to more fraud losses.”
Some reports revealed Facebook logins selling on the dark web for less than $4 each.
Talwalker maintained given the scale of this attack, it is quite possible bots abusing APIs orchestrated the attack. “First generation bot mitigation technologies, which use JScript and Mobile SDK based device fingerprinting, fail to stop such bot attacks that use APIs.”
According to Cambridge, Mass.-based Akamai’s latest State of the Internet report, 8.3 billion malicious login attempts from bots occurred in May and June alone, a 1.9 billion uptick compared to the two months prior. Josh Shaul Akamai’s VP/web security for Akamai stated, “If the attackers, in this case, were able to gain access to user’s passwords, Akamai would become concerned that we will rapidly see any stolen credentials used to attempt to login to other accounts across the web. The technique, called credential stuffing, systematically uses stolen credentials across a series of gated websites—such as banks or e-commerce sites—on the theory that consumers reuse similar login credentials across accounts. Breached Facebook users could soon find themselves the victim of larger identity or financial fraud.”
Jeannie Warner, security manager, for San Jose, Calif.-based WhiteHat Security, observed, “What the hackers accessed is interesting to me – information about the accounts having to do with user data rather than financial. This really underscores the new value currency of privacy and personally identifiable information, which includes demographics like gender, hometown, name, age (birthdate) and anything else a person has under their ‘About’ tab.” Warner suggested after the misuse of personal information by Cambridge Analytica, one starts to speculate that the same information is being harvested for similar militant bot and troll activity online, especially heading toward elections and other significant activities.
Eric Sheridan, chief scientist, for WhiteHat Security, said, “One of the best proactive strategies in reducing the risk of introducing vulnerabilities in applications is the enumeration and systemic adoption of secure design patterns” This helps solidify those code level patterns developers must adhere to ward off the introduction of exploitable vulnerabilities. “We need automation to help enforce the use of the secure design pattern at scale, which presents its own set of challenges.”