Facebook F’up 90 million and counting. The cause was because the Facebook login is persistent. You never log out of your account unless you specifically do so. Bogdan Botezatu, Sr Security Analyst at Bitdefender, tells GadgetGuy readers more on what happened and what greedy practices enabled it.
This week 90 million users found themselves logged out of Facebook. WTF, they never log out of Facebook. The logout was to prevent further massive breaches of data in what appears to be the worst privacy blunder of the social network to date. And, yes, we’ve heard of Cambridge Analytica and the rest of the stories. The guy with the hoodie continually saying sorry. Bit repetitive really but we are used to Facebook f’ups.
The story, frame by frame
At least 50 million and more likely 90 million accounts have been compromised through a daisy-chained vulnerability in the ‘View As’ feature.
This vulnerability allows hackers to snatch authentication tokens to stay logged into the account regardless of whether you refresh the browser page, reboot the computer or put it to sleep.
As long as you have the token, you
are granted access to your account without having to go through the login
process. Whoever has this token, including the crafty hacker is also exempt
from going through the login process. Facebook wanted you to have that token because
it enabled it to snoop on everything you do outside Facebook.
There is little additional information about this bug. It has now been partially mitigated by the social network disabling the View As feature. But it’s worth mentioning that there is NO Bug Bounty reward or an account of a white-hat hacker reporting this vulnerability. No, this is a new vulnerability!
It is safe to assume that this was
not a controlled report and that a third-party walked away with at least 50
MILLION (or 90 million) access tokens.
Here comes the painful part of the Facebook
According to Statista, Facebook Messengeris the world’s second largest instant messaging platform with almost 1.3 billion active users. It’s also the world’s largest instant messaging platform that does not have end-to-end encryption turned on by default. This means that chat history is always available from whatever machine you are logging into. At this point, it’s safe to assume that, if you got logged out of Facebook for no apparent reason:
1. Most likely your account was among the ones that have been hacked. Which brings us to point number 2.
2. Your private posts, conversations and every piece of information, like check-ins, pictures sent via chat and so on, have likely fallen into the wrong hands. If, at any point, they become public following a “data dump”, marriages will get broken, friendship will end abruptly, and sensitive pictures will flood the internet. Life will never be the same as before, “thanks” to a small bug in a platform.
Other accounts using Facebook
authentication might have been accessed.
As of now, it is hard to tell what
hackers were able to get their hands on. However, given the complexity of the
bug and the generous timeframe (the social network caught the bug last Tuesday,
but it could have been exploited for way longer than this), it is fair to
assume the worst. The reason you had to log in again today was Facebook’s way
of denying hackers access to the accounts: they invalidated the access token of
both the 50M confirmed compromised accounts as well as the 40M accounts
suspected of being compromised.
And, as we’re talking about extremely
sensitive content such as private chat conversations, group chats and
business-to-consumer interactions, changing your password won’t be enough to
make everything OK again.
So, if you’ve had sensitive content
shared on the Facebook Messenger, it’s time to come to terms with it. If you’re
a company that uses Facebook Messenger for support purposes and you’ve been
logged out of your account, you’d better start evaluating what information has
been exchanged across the medium and start notifying customers. This is by all
account a data breach that falls under the GDPR and should be treated as such.
What you should do now
The disclosure goes along the lines
of the old adage saying ‘never put your eggs in one basket’. Social networks
have become the centrepiece of our digital life that blurs into the physical
life itself. It is also an account that social networks can do so much more
than influence your shopping behaviour or steal an election: it can have serious
consequences on your lifestyle based on private social interactions.
Unfortunately, what has been seen
cannot be unseen, and there is little you can do right now to change the course
of things. What you should do though is consider your future options:
Understand that social networks are
not bulletproof places where your secrets are safe. Plan for the worst and act
Never put something in writing that
you would not like to leak several years from now when the platform gets
Embrace end-to-end encryption like
your life and your freedom depend on it. Sometimes it does.
Use privacy-focused IM clients such
as Signal for sensitive chats or any other business that should stay segregated
from your physical persona.
GadgetGuy’s take. Yet another Facebook
f’up means f’off Facebook.
It is time readers understood just how sinister, aggressive and avaricious Facebook really is. That greed to get your information should be its undoing. It gave you a token, ostensibly for the convenience of not having to log out that it used to spy on everything you do. This action is hundreds of times more culpable than giving you the ‘free’ Facebook-owned Onavo VPN to protect your privacy that sent that data to Facebook for further analysis.
Now that that 90 million users have had their innermost secrets stolen and likely placed in their secret dark web profiles they are not safe from online scams ever again. Rumour is that when Facebook discovered the issue, it pulled the plug last week to stop it spreading further than the 90 million. A day or so more and all users would have had their data pillaged.