Facebook f'up

Facebook F’up – 50 million definitely and 40 million more “likely” affected

100% human

Facebook F’up 90 million and counting. The cause was because the Facebook login is persistent. You never log out of your account unless you specifically do so. Bogdan Botezatu, Sr Security Analyst at Bitdefender, tells GadgetGuy readers more on what happened and what greedy practices enabled it.

This week 90 million users found themselves logged out of Facebook. WTF, they never log out of Facebook. The logout was to prevent further massive breaches of data in what appears to be the worst privacy blunder of the social network to date. And, yes, we’ve heard of Cambridge Analytica and the rest of the stories. The guy with the hoodie continually saying sorry. Bit repetitive really but we are used to Facebook f’ups.

The story, frame by frame

At least 50 million and more likely 90 million accounts have been compromised through a daisy-chained vulnerability in the ‘View As’ feature.

This vulnerability allows hackers to snatch authentication tokens to stay logged into the account regardless of whether you refresh the browser page, reboot the computer or put it to sleep.

As long as you have the token, you are granted access to your account without having to go through the login process. Whoever has this token, including the crafty hacker is also exempt from going through the login process. Facebook wanted you to have that token because it enabled it to snoop on everything you do outside Facebook.

There is little additional information about this bug. It has now been partially mitigated by the social network disabling the View As feature. But it’s worth mentioning that there is NO Bug Bounty reward or an account of a white-hat hacker reporting this vulnerability. No, this is a new vulnerability!

It is safe to assume that this was not a controlled report and that a third-party walked away with at least 50 MILLION (or 90 million) access tokens.

Here comes the painful part of the Facebook f’up

According to Statista, Facebook Messenger is the world’s second largest instant messaging platform with almost 1.3 billion active users. It’s also the world’s largest instant messaging platform that does not have end-to-end encryption turned on by default. This means that chat history is always available from whatever machine you are logging into. At this point, it’s safe to assume that, if you got logged out of Facebook for no apparent reason:

1. Most likely your account was among the ones that have been hacked. Which brings us to point number 2.

2. Your private posts, conversations and every piece of information, like check-ins, pictures sent via chat and so on, have likely fallen into the wrong hands. If, at any point, they become public following a “data dump”, marriages will get broken, friendship will end abruptly, and sensitive pictures will flood the internet. Life will never be the same as before, “thanks” to a small bug in a platform.

Other accounts using Facebook authentication might have been accessed.

As of now, it is hard to tell what hackers were able to get their hands on. However, given the complexity of the bug and the generous timeframe (the social network caught the bug last Tuesday, but it could have been exploited for way longer than this), it is fair to assume the worst. The reason you had to log in again today was Facebook’s way of denying hackers access to the accounts: they invalidated the access token of both the 50M confirmed compromised accounts as well as the 40M accounts suspected of being compromised.

And, as we’re talking about extremely sensitive content such as private chat conversations, group chats and business-to-consumer interactions, changing your password won’t be enough to make everything OK again.

So, if you’ve had sensitive content shared on the Facebook Messenger, it’s time to come to terms with it. If you’re a company that uses Facebook Messenger for support purposes and you’ve been logged out of your account, you’d better start evaluating what information has been exchanged across the medium and start notifying customers. This is by all account a data breach that falls under the GDPR and should be treated as such.

What you should do now

The disclosure goes along the lines of the old adage saying ‘never put your eggs in one basket’. Social networks have become the centrepiece of our digital life that blurs into the physical life itself. It is also an account that social networks can do so much more than influence your shopping behaviour or steal an election: it can have serious consequences on your lifestyle based on private social interactions.

Unfortunately, what has been seen cannot be unseen, and there is little you can do right now to change the course of things. What you should do though is consider your future options:

Understand that social networks are not bulletproof places where your secrets are safe. Plan for the worst and act accordingly.

Never put something in writing that you would not like to leak several years from now when the platform gets breached.

Embrace end-to-end encryption like your life and your freedom depend on it. Sometimes it does.

Use privacy-focused IM clients such as Signal for sensitive chats or any other business that should stay segregated from your physical persona.

Facebook f'up

GadgetGuy’s take. Yet another Facebook f’up means f’off Facebook.

It is time readers understood just how sinister, aggressive and avaricious Facebook really is. That greed to get your information should be its undoing. It gave you a token, ostensibly for the convenience of not having to log out that it used to spy on everything you do. This action is hundreds of times more culpable than giving you the ‘free’ Facebook-owned Onavo VPN to protect your privacy that sent that data to Facebook for further analysis.

Now that that 90 million users have had their innermost secrets stolen and likely placed in their secret dark web profiles they are not safe from online scams ever again. Rumour is that when Facebook discovered the issue, it pulled the plug last week to stop it spreading further than the 90 million. A day or so more and all users would have had their data pillaged.

Read our original coverage here