One thing is for sure. Hackers have been using the Facebook ‘View As’ f’up for at least a year. They have had plenty of time to leisurely stroll through, and steal information from up to 90 million accounts. It is called the Facebook f’up fall-out effect.
The official transcript of Facebook’s Guy Rosen’s answers to the Facebook f’up is scary.
Here are a few clangers
- Security vulnerabilities are by definition — they’re obscure, and they’re very hard to find.
- Regrettably, we did not catch this complex interaction of bugs [from April to
September2017] that led to this vulnerability.
- We did see this attack at a fairly large scale, and that’s how we discovered this.
- Look, this is a — this is clearly a breach of trust, and we take this very seriously. We’re working with lawmakers and with regulators to let them know about what happened.
- I think that this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community.
- What we’ve seen so far is that access tokens were not used to access things like private messages, or posts, or to post anything to these accounts.
But the real sting in the tail is this answer
- Attackers did try to use the APIs to access profile information — like name or gender or hometown — but it is important to say the attackers could use the account as if they are the account holder.
Jason Polakis, Assistant Professor of Computer Science, the University of Illinois at Chicago and independent Facebook security researcher said
- The impact could be significantly bigger since those stolen credentials could gain access to so many other sites. Companies that allow customers to log in with Facebook Connect are scrambling to figure out whether their own user accounts have are part of this
- An unexpected finding during our experiments was that when attackers use hijacked FB to access the user’s FB account, the attacker’s session didn’t show up in the list of active sessions if the attacker stayed connected for less than 60 minutes.
- More importantly, once attackers gain access to those 3rd parties [Facebook linked logins], they can maintain access to user accounts in those websites using the cookies set by those sites. No matter what FB does, they can’t do anything to prevent attackers’ from accessing those accounts.
- The hack and its fallout underscore the lengths to which Facebook has cemented itself as the identity of the internet, and what happens when the security systems of one company — trusted by so many — fail. Just the sheer fact that this exists will magnify the scale of any hack.
- To make matters worse, we found that the majority of popular sites that we audited, don’t offer session management options for terminating active sessions and invalidating cookies. Users currently lack ways to recover 3rd party attacks on their accounts.
One Facebook f’up fall-out Aussie rang me in a panic (name withheld).
This millennial is a serious, long-term user of Facebook. Last week she received an email from Facebook that her Facebook account was compromised. This was as useful as a one-legged man in an arse kicking competition. Having read GadgetGuy’s articles, she contacted us.
Hackers had full access to her profile; her posts, likes – well the whole nine yards. Facebook has admitted that at a minimum hacker’s harvest people’s private information, including name, sex and hometown, address, phone number and whatever else was in their profile.
Mark Zuckerberg did say that hackers did not access passwords or credit card information. Well Mark that is good, but it is the tip of a very large iceberg. Personal information goes straight to the dark web to help fill out those 50-90 million poor soul’s profiles for later extortion.
She could not access Spotify. The hackers were able to use the stolen access token to change her password. Hackers get a few dollars selling stolen Spotify, Netflix and other subscription accounts.
Emails to Spotify about this issue were unanswered, and she could not change the password back. She has lost all her downloaded music, playlists and more. She had to cancel her credit card authority, and all that takes time.
But she was anxious as other apps using Facebook’s login like Airbnb and over 161,727 other websites were open back doors too. By the way, that figure is down from 193,098 due to recent security scares. In Australia, 458 websites accept the Facebook login. Most are shopping sites.
But it does not stop there. Her Facebook logins to Amazon, Twitter, YouTube and other accounts are inaccessible. She lost years of business tweets, and dozens of YouTube videos she had made.
But her biggest worry is the slightly saucy (well outright XXX adult) content she posted on Tinder – and that is now unavailable too.
With this data breach, businesses are no longer confident in their ability to verify a user is actually who they say they are.
Final words – #DeleteFacebook
There are two issues here
If you are a victim of this latest hack, then there are no more secrets. If you put anything in your Facebook or any linked account or linked login account that you would not want your mother to know, then it is too late. That data can impact you. Not today, but it is now in the dark web for identity theft and even blackmail.
If you are yet to be a victim (and it is when not if in my opinion) it is high time to review what is in your profile and do damage control.
Facebook is such a drug that it is too much of an ask to do what hundreds of millions of its 2.234 billion users have done – close it down. The #DeleteFacebook movement reports that 44% of users between 18-29 had deleted their account, 42% have taken a break for a few weeks, and 54% have readjusted their privacy settings.