One thing is for sure. Hackers have been using the Facebook ‘View As’ f’up for at least a year. They have had plenty of time to leisurely stroll through, and steal information from up to 90 million accounts. It is called the Facebook f’up fall-out effect.
The official transcript of Facebook’s Guy Rosen’s answers to the Facebook f’up is scary.
Here are a few clangers
Security vulnerabilities are by definition — they’re obscure, and they’re very hard to find.
Regrettably, we did not catch this complex interaction of bugs [from April to September 2017] that led to this vulnerability.
We did see this attack at a fairly large scale, and that’s how we discovered this.
Look, this is a — this is clearly a breach of trust, and we take this very seriously. We’re working with lawmakers and with regulators to let them know about what happened.
I think that this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community.
What we’ve seen so far is that access tokens were not used to access things like private messages, or posts, or to post anything to these accounts.
But the real sting in the tail is this answer
Attackers did try to use the APIs to access
profile information — like name or gender or hometown — but it is important to say the attackers could use the
account as if they are the account holder.
Jason Polakis, Assistant Professor of Computer Science, the University of Illinois at Chicago and independent Facebook security researcher said
The impact could
be significantly bigger since those stolen credentials could gain access to so
many other sites. Companies that allow customers to log in with Facebook
Connect are scrambling to figure out whether their own user accounts have are part of this
An unexpected finding during our experiments was
that when attackers use hijacked FB to access the user’s FB account, the
attacker’s session didn’t show up in the list of active sessions if the attacker stayed connected for less than 60 minutes.
once attackers gain access to those 3rd parties [Facebook linked logins], they
can maintain access to user accounts in those websites using the cookies set by
those sites. No matter what FB does, they can’t do anything to prevent
attackers’ from accessing those accounts.
The hack and its fallout underscore the lengths
to which Facebook has cemented itself as the identity of the internet, and what
happens when the security systems of one company — trusted by so many — fail. Just
the sheer fact that this exists will magnify the scale of any hack.
To make matters worse, we found that the
majority of popular sites that we audited, don’t offer session management
options for terminating active sessions and invalidating cookies. Users
currently lack ways to recover 3rd party attacks on their accounts.
One Facebook f’up fall-out Aussie rang me in a panic (name withheld).
This millennial is a serious, long-term user of Facebook. Last week she received an email from Facebook that her Facebook account was compromised. This was as useful as a one-legged man in an arse kicking competition. Having read GadgetGuy’s articles, she contacted us.
Hackers had full access to her profile; her posts,
likes – well the whole nine yards.
Facebook has admitted that at a minimum hacker’s harvest people’s private
information, including name, sex and hometown, address, phone number and whatever
else was in their profile.
Mark Zuckerberg did say that hackers did not access passwords
or credit card information. Well Mark that is good, but it is the tip of a very large iceberg. Personal information goes
straight to the dark web to help fill out those 50-90 million poor soul’s profiles
for later extortion.
She could not access Spotify. The hackers were able to use the
stolen access token to change her password.
Hackers get a few dollars selling stolen
Spotify, Netflix and other subscription accounts.
Emails to Spotify about this issue were unanswered, and she could not change the password back. She
has lost all her downloaded music, playlists
and more. She had to cancel her credit card authority, and all that takes time.
But she was anxious as other apps using Facebook’s login like Airbnb and over 161,727 other websites were open back doors too. By the way, that figure is down from 193,098 due to recent security scares. In Australia, 458 websites accept the Facebook login. Most are shopping sites.
But it does not stop there. Her
Facebook logins to Amazon, Twitter, YouTube and other accounts are inaccessible.
She lost years of business tweets, and dozens of YouTube videos she had made.
But her biggest worry is the slightly saucy (well outright XXX
adult) content she posted on Tinder – and that is now unavailable too.
With this data breach, businesses are no longer
confident in their ability to verify a user is actually
who they say they are.
If you are a victim of this latest hack, then there are no
more secrets. If you put anything in your Facebook or any linked account or linked
login account that you would not want your mother to know, then it is too late. That data can impact you. Not today, but
it is now in the dark web for identity theft and even blackmail.
If you are yet to be a victim (and it is when not if in my opinion) it is high time to
review what is in your profile and do damage control.
Facebook is such a drug that it is too much of an ask to do what hundreds of millions of its 2.234 billion users have done – close it down. The #DeleteFacebook movement reports that 44% of users between 18-29 had deleted their account, 42% have taken a break for a few weeks, and 54% have readjusted their privacy settings.
But even that does not cure the issue – once something is on the internet it is there forever. There is a great read at Forbes about deciding to get out.
I could not provide much solace to the Millennial ‘hackee’ except to offer logic.
Review your Facebook account
Change every password on every site (don’t use
the same one and get a two-factor ID)
Advise you bank and blanket stop all periodic credit
card payments especially for recurring subscription-based
And to tell her that Facebook’s share price went over a cliff.
Good, she replied.