Late September, Facebook announced that 50 million accounts had been compromised, as an attacker, or possible multiple attackers, had accessed log-in credentials via the social network's "View As" feature.
The social network also said around 40 million other accounts that didn't directly use the "View As" feature had been affected, but it had no idea who was behind the breach or how the compromised data may eventually be used.
Odourless, weightless intruder
Carolyn Everson, Facebook's VP of global marketing solutions, called the attack sophisticated, adding it would require attackers to understand three different bugs. She even compared the hackers to an "odourless, weightless intruder that walked in", saying Facebook could only detect it "once they made a certain move".
Oleg Kolesnikov, director of Threat Research and Cybersecurity Analytics at Securonix, says based on the currently available details, the Facebook "View As" access token security issue was a result of a code change, which was made to the video uploading feature on Facebook in July of 2017, and this impacted the "View As" app.
The security issue was detected by Facebook on 25 September, and over 50 million users' access tokens had to be reset.
Assume compromise
Kolesnikov says this is a good example of the importance of the 'assume compromise' paradigm.
'Assume compromise' means one should acknowledge that a breach has either already happened or that it's only a matter of time until it does. Security prevention tools are not a silver bullet, and cannot prevent all attacks. Operating with an 'assume compromise' or 'assume breach' approach changes detection and response strategies, limiting the trust placed in applications, services, identities and networks by treating all of them as insecure and probably already compromised.
Individually, the security issues were less impactful, but when they were used in combination, the resulting exploit enabled full compromise.
Oleg Kolesnikov, Securonix
Organisations must have the ability to monitor and baseline Internet-facing systems continuously to detect potential deviations from normal behaviour as quickly as possible, urges Kolesnikov. "In this way, security issues can be quickly identified, reducing mean-time-to-response."
He says based on the limited details available, it is likely there were a number of anomalies that resulted from attackers exploiting the issue present in the Facebook server and application logs. This could include unusual volumes and types of access token property requests for the accounts accessed. It could also include other access token type activity present in the Web application logs, which would indicate attackers were finding other ways to compromise more Facebook accounts.
"We have been seeing more and more software security issues that involve a combination of attack vectors exploited, such as, for instance, the infamous high-profile EternalBlue vulnerability used in WannaCry," says Kolesnikov. "While this was a server-side issue, there were three independent security issues that were exploited in combination to enable the compromise.
"Individually, the security issues were less impactful, but when they were used in combination, the resulting exploit enabled full compromise. So, if it is not possible to prevent such issues, it is important to implement the ability to monitor and detect them as early as possible to mitigate the impact on the users," he says.
No need to panic
Ilia Kolochenko, CEO and founder of Web security company High-Tech Bridge, says despite a huge number of potential victims, panic is unnecessary as it is still mainly unclear how many accounts were actually compromised, and how many of them were subsequently used for malicious activities or theft of personal data.
"Facebook's reaction to the incident was straightforward and professional, serving a good example of transparency, care and honesty. One may, however, inquire why the unusual spike of traffic was detected only after 50 million accounts were already affected. A company as wealthy as Facebook could afford to have a faster reaction," adds Kolochenko.
Managing risk
While it is not always possible to prevent security issues of this nature, Kolesnikov says there are a number of things that can be done to lower the risk of them occurring in the future, starting with learning from the experience, understanding how attackers exploited the issues, making sure defences are exercised continuously, and leveraging components designed and built with security in mind.
"What it boils down to is making security a business imperative and priority for the organisation," Kolesnikov says.
This incident highlights that having a bug bounty is no silver bullet.
Ilia Kolochenko, High-Tech Bridge
For users to protect themselves, he advises following basic security hygiene, enabling extra security features, and putting pressure on companies offering services to invest more in security.
"However, users can also be proactive, and take extra security precautions; for instance, checking where their accounts are logged in from to detect any discrepancies setting up extra security features like enabling alerts about unrecognised logins, monitoring for unexpected posts, friend requests, and messages sent, and configuring account recovery such as the Facebook option to contact if one's account gets locked out."
GDPR milestone?
From a legal point of view, Kolochenko says this incident may become a notorious milestone of GDPR enforcement by the EU regulators.
"A multimillion-dollar fine is not impossible under the circumstances. In addition, a class action and individual lawsuits could cause a lot of trouble for Facebook, potentially with even higher penalties or settlements, exacerbated by legal costs and a jeopardised public image. In both cases, however, victims will unlikely get any considerable compensation unless they can prove their damages with reasonable certainty, or try to invoke punitive damages, which is highly unlikely."
He says the 'bug bounty' industry might also be affected by this breach. "While the majority of submissions are usually represented by relatively trivial XSS and CSRF vulnerabilities, some experts reasonably question the economic practicality of crowd-sourced security testing."
Facebook's bounty programme stands out among the others, due to its global prestige and remarkably high rewards. "Nonetheless, it has apparently failed to address these flaws for over a year. This incident highlights that having a bug bounty is no silver bullet," Kolochenko says.
"However, a holistic, adaptive and multi-layered approach to cyber security remains crucial."
Share