Skip to main content

A detailed anatomy of the hack that compromised Facebook's 50 million user breach

By

Yesterday, at least 90,000,000 Facebook users were forced to log back into the service without any explanation; later, the company revealed that at least 50,000,000 of them had been hacked, but wouldn't say how.

In a detailed anatomy of the hack based on an explanation provided by Facebook vice president of product management Guy Rosen, Motherboard's Lorenzo Franceschi-Bicchierai and Jason Koebler provide insight into the mechanics of the breach.

The vulnerability was in Facebook's somewhat esoteric "View as" feature. This feature allows Facebook users to assure themselves that the privacy settings they've chosen for their posts are working as intended. If you make a post that you want your parents to be able to see, but not your boss, "View as" will let you preview the post as if you were your boss, and then as if you were your parents, and confirm that you've got the confusing welter of Facebook privacy options right.

The attackers were able to exploit a bug in this feature to capture "access tokens" when they used "View as." By viewing a post as your boss, they could trick the system into generating an "access token" that they could use to actually login to Facebook as your boss. These access tokens are used to spare users the inconvenience of being prompted to log in to Facebook every time an app or window tries to connect them to their Facebook data.

Logging out of Facebook cancels outstanding access tokens, which is why Facebook logged 90,000,000 users out yesterday.

Rosen did not discuss the identity of the attackers, nor which data they were able to steal from the affected Facebook users.

The first bug, Rosen explained, caused a video uploader to show up on View As pages “on certain kinds of posts encouraging people to post happy birthday greetings.” Normally, the video uploader should not have showed up. The second bug caused this video uploader to generate an access token that had permission to log into the Facebook mobile app, which is not how this feature “is intended to be used,” according to Rosen.

The final bug, Rosen explained, was that when the video uploader showed up as part of the View As feature, it generated a new access token not for the user, but for the person who they were pretending to be—essentially giving the person using the View As feature the keys to access the account of the person they were simulating. In the example we gave above, this would not only have allowed you to look at John’s profile using the View As John feature, but it also would have generated an access token allowing you to login to and take over John’s account.

“It was the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers,” Rosen said. “Those attackers, in order to run the attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot that access token to other accounts and then look up other users in order to get further access tokens.”

How 50 Million Facebook Users Were Hacked [Lorenzo Franceschi-Bicchierai and Jason Koebler/Motherboard]

from Boing Boing https://ift.tt/2xWyTgl
via IFTTT

Labels:

Comments

Post a Comment

Popular posts from this blog

Instagram accidentally reinstated Pornhub’s banned account

By
After years of on-and-off temporary suspensions, Instagram permanently banned Pornhub’s account in September. Then, for a short period of time this weekend, the account was reinstated. By Tuesday, it was permanently banned again. “This was done in error,” an Instagram spokesperson told TechCrunch. “As we’ve said previously, we permanently disabled this Instagram account for repeatedly violating our policies.” Instagram’s content guidelines prohibit  nudity and sexual solicitation . A Pornhub spokesperson told TechCrunch, though, that they believe the adult streaming platform’s account did not violate any guidelines. Instagram has not commented on the exact reasoning for the ban, or which policies the account violated. It’s worrying from a moderation perspective if a permanently banned Instagram account can accidentally get switched back on. Pornhub told TechCrunch that its account even received a notice from Instagram, stating that its ban had been a mistake (that message itse...
Post a Comment
Read more

California Gov. Newsom vetoes bill SB 1047 that aims to prevent AI disasters

By
California Gov. Gavin Newsom has vetoed bill SB 1047, which aims to prevent bad actors from using AI to cause "critical harm" to humans. The California state assembly passed the legislation by a margin of 41-9 on August 28, but several organizations including the Chamber of Commerce had urged Newsom to veto the bill . In his veto message on Sept. 29, Newsom said the bill is "well-intentioned" but "does not take into account whether an Al system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the bill applies stringent standards to even the most basic functions - so long as a large system deploys it."  SB 1047 would have made the developers of AI models liable for adopting safety protocols that would stop catastrophic uses of their technology. That includes preventive measures such as testing and outside risk assessment, as well as an "emergency stop" that would completely shut down...
Post a Comment
Read more

If only your bike had a trunk. Oh wait, now it does.

By
Just to let you know, if you buy something featured here, Mashable might earn an affiliate commission. Biking is one of the best ways to get around, especially if you live in a city. It's quick, it's eco-friendly, and you get a bit of exercise.  If you already commute on two wheels or are thinking of starting, there's a storage device you kinda need. SEE ALSO: This bamboo keyboard combo adds a touch of tranquility to your workspace The Buca Boot is a pretty magical two-in-one hybrid: It’s a super secure storage box for your bike that works like the trunk of a car. You can lock your helmet or whatever else in it and leave it safely behind. It’s also a basket—open it up, and you can carry a bouquet of flowers and a baguette like the picturesque cyclist of your dreams.    Read more... More about Storage , Car , Bicycle , Trunk , and Cyclist from Mashable http://ift.tt/2eHNwLB via IFTTT
Post a Comment
Read more