Pranav Hiverekar, one of the top Facebook bug bounty hunters/hackers, shares his insights on the Facebook breach
What is your opinion with regard to this attack and the real motive behind it, since attackers could also have gone for a hefty bounty fro facebook than taking a risky path?
I assume that attackers were not aware of the bug bounty program and may be they wanted to do publicity stunt to get into news about hacking Facebook.
What is the main attack vector that lead to this breach, as a top bug hunter on Facebook, can you shed some light into this security incident/breach?
Attack vector is not yet clear but the vulnerability existed in View As feature (https://www.facebook.com/help/288066747875915?helpref=faq_content) which allowed getting access token of any given user just by browsing source of the HTML page. Access tokens can be used to access user’s account without password. So, attacker used it to get access tokens of all the users.
Ref : https://www.facebook.com/zuck/posts/10105274505136221?notif_id=1538154731362811¬if_t=notify_mehttps://newsroom.fb.com/news/2018/09/security-update/
How could have this attack been prevented and what do you consider as the failure on the part of Facebook security team? Could this attack been averted before it took a huge shape, what do you think?
No. This attack is very much creative and it is very difficult to find such vulnerabilities. It is not failure of Facebook security team, instead I appreciate the way in which Facebook have anticipated the situation. On the other hand, Uber has been fined 148M$ for covering up breach. ref : https://www.theguardian.com/technology/2018/sep/26/uber-hack-fine-driver-data-breach
Can you share us some tips on Safety and Security from your experience as one of the top ethical hackers on the Facebook Hall of Fame?
To stay secure, I suggest reseting your password so that it will invalidate all active access tokens.
