Facebook recently released a press update about a critical security flaw affecting its application, which they promptly fixed after it was detected.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
First, we’ve fixed the vulnerability and informed law enforcement.
According to Facebook, they have reset access tokens of around 50 million users, whose accounts have been breached, in response to this attack. Around 90 million users will have to log-out of their accounts as a precautionary measure.
Facebook further went on to elaborate on this breach:
Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
This alone highlights a lot about the criticality of this issue which warranted an immediate fix to reduce the impact of this incident. Also, they turned off the View As feature temporarily in response to this attack, as per their press release –
Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.
Technical Analysis
As per Facebook’s statement, this attack seems like an exploit chained with a flawed feature implementation, View As which was in turn used by a video uploading feature.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
What are Access Tokens and Why They Cause Concern?
They are basically used to perform privileged actions by accounts, which may implement the Facebook Graph API. This again reminds us of the famous Graph API hacks by popular security researchers which leveraged several exploit chains to successfully steal user access tokens.
Facebook’s Graph API thus provides a large attack surface for attacks to be carried out.
LHN Advises You to :
- Log out of all current sessions from all devices where you have logged in to Facebook. Log in back after logging out.
- After ensuring that each session is terminated, revoke all Oauth-based apps, since they use an access-token to use the Facebook Graph API
- Check out your account Activity Log to monitor any suspicious activity on your account, report them to Facebook Support if you find anything which seems suspicious.
- Check your Sessions in Account Settings/Privacy, monitor them for any log-in from suspicious locations, report it immediately if there is any discrepancy.
- Finally, never fall for phishing attacks and don’t visit suspicious pages.
- Phishing might also consist of XSS and CSRF attacks which if leveraged properly might unleash havoc, so exercise caution in your activities.