Facebook: 30 million accounts impacted by security flaw (updated)

On Friday, Facebook’s VP of product management Guy Rosen, coordinating with a Facebook post by founder Mark Zuckerberg, said the company discovered someone had abused access tokens for 50 million users on Tuesday afternoon.

[Note: This story was updated on October 12, with new information concerning the number of accounts impacted]

While the impacted accounts only represent a small fraction of the billions of monthly active users worldwide, the incident is still significant, as the abused tokens enable full access to a person’s account.

According to Rosen, the attackers targeted Facebook’s ‘View As’ feature, which allows users to view their profile as someone else. The flaw exploited was introduced when changes were made to Facebook’s video uploading feature in July 2017.

“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Rosen wrote.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.”

Speaking to the details released by Facebook on the investigation, Oleg Kolesnikov, Director of Threat Research and Cybersecurity Analytics at Securonix, said it was a good example of the importance of the ‘Assume Compromise’ paradigm, and the ability to monitor and baseline public-faced systems ” to detect potential deviations from normal behavior as quickly as possible to identify and address possible security issues quickly, reducing mean-time-to-response.”

In response to the incident, Facebook has disabled access tokens for all 50 million accounts that were affected, plus an additional 40 million accounts for those who used ‘View As’ over the last year. In addition, the ‘View As’ feature itself has been disabled.

It isn’t clear, what – if any – information was exposed by the attackers, but Zuckerberg said in a call with journalists that the attackers did try to access developer APIs, which were locked down Thursday evening.

While it may seem like the company released information too soon, considering what little is known, they did so out of a sense of transparency – even if such an act was technically forced due to the three-day rule under GDPR (they have to inform regulators).

Under GDPR, Facebook has to tell regulators about the incident within three days unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”

When asked about GDPR might impact Facebook in this situation, Jack Jones, Chief Risk Scientist and Co-founder of RiskLens, Inc. had some interesting thoughts.

“Like most other compliance standards, the notion of being “compliant” is a bit of a pipe dream — at least for any large, complex organization there will always be some degree of non-compliance,” Jones said.

“Furthermore, the fact that a breach occurred almost invariably means that a non-compliant condition existed. As a result, the odds of an organization ‘sheltering’ or limiting their exposure by having been ‘compliant’ is pretty much a fallacy. The only question will be how aggressively GDPR is enforced.”

In a somewhat related note, it isn’t clear if Friday’s disclosure is related to the claim made by a Taiwanese hacker, who said he discovered a bug that would allow him to delete Mark Zuckerberg’s account on the platform.  The hacker, Chang Chi-yuan, was set to live stream his efforts on Sunday, but those plans were canceled after Bloomberg reported on them. He has since reported his findings to Facebook.

Salted Hash will continue to follow this story as it develops.

Update 10/12/2018:

Facebook published an update into their investigation on Friday, and one of the largest bits of new informaion centers on the numbers. The full post is available online here.

According to Facebook, “Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”

“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).

“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

“For 1 million people, the attackers did not access any information.”