Only ~ 90 million users “directly affected”

Updated 28 Sep 2018 at 17:39.

Today, Facebook confessed that code bugs potentially exposed their world-wide user accounts to hackers. Over the past 14 months, Facebook estimates hackers snooped on at least 50 million private profiles, and perhaps as many as 90 million profiles.

Friday morning in the Facebook newsroom, the social media giant’s VP of product management, Guy Rosen said Facebook uncovered a security breach earlier this week; that allowed hackers to snatch tens of millions of account access tokens.

These tokens were leveraged to log into the associated Facebook accounts without knowing the account password. These tokens allowed hackers to login and download victims’ photos, videos, and private information. Facebook users logging into additional apps/websites with their Facebook account credentials were exposed even further. Those apps and websites can also be logged into, and looted by cyber-attackers. When these stolen tokens create a “back-door” login this trivial, would hackers ever try the secured front-door approach? Probably not.

In effect, every Facebook account was vulnerable, although the Silicon Valley Goliath estimates only 50 million accounts were, in the words of a spokesperson, “directly affected.” A further 40 million had their accounts “looked up.” Facebook has patched the hole, and “logged out” 90 million users to invalidate potentially stolen access tokens. Facebook staff said it appears no posts were made on users behalf by hackers, and no credit card information was stolen.

This security breach was made possible through the “View As” option – where Facebook users can check how others may see their profile, allowing folks to confirm their private content really is private.

The global social network released a sobering statement.”This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017.”

In a press conference held Friday morning in Silicon Valley, a Facebook representative went into greater detail. This security breach was the result of three different bugs:

• The first caused a video upload feature to appear on certain posts when it shouldn’t have.

• The second caused that video uploader to generate an access token.

• The third, caused the access token generated for the person that someone was “looking up” rather than the actual Facebook user. Potentially — any third-party, cyber-attacking hacker with this knowledge had access to any Facebook user account.

Facebook identified the security breach after noting a suspicious “spike” in user activity, on Tuesday. The attack was “fairly large scale,” and after root-cause-analysis, Facebook discovered hackers were using their Application Programming Interface to automate the malicious hacking process.

Facebook said it went to law enforcement the next day, patched the code bug and “logged out” all accounts that used Facebook’s “View As” option since July 2017, to invalidate this string of code bugs.

A hacker in Taiwan threatened to video live-stream himself over the internet on Sunday; while he hacked into Zuckerberg’s personal Facebook account. The hacker later canceled the video live-stream within hours of today’s Facebook admission.

“We are constantly improving our security and this underscores the fact that there are constant attacks,” said CEO Mark Zuckerberg. “We need to keep focusing on this over time.”

Earlier this week, the EFF published content exposing Facebook’s two-factor authentication agenda. Facebook users mobile phone numbers, provided for two-factor authentication, were later used to target them with advertisements. Information presented for security, then sold for advertising money. ®

Will blind trust in social media outlets blind us to the dangers of our digital world?

Update: Following an afternoon press conference, two pending questions are now confirmed.

1. CEO Mark Zuckerberg and chief operating officer, Sheryl Sandberg’s Facebook accounts were among the hacked user accounts.
2. It was possible to use these stolen access tokens to log into connected apps/websites that used Facebook login credentials to authenticate.

Original article by Kieren McCarthy: https://www.theregister.co.uk/2018/09/28/facebook_accounts_hacked_bug/