Facebook Hacked — 10 Important Updates You Need To Know About

Sep 29, 2018

If you also found yourself logged out of Facebook on Friday,
you are not alone.

Facebook forced more than 90 million users to log out and back
into their accounts in response to a massive data breach.

On Friday afternoon, the social media giant disclosed that some
unknown hackers managed to exploit three vulnerabilities in its
website and steal data from 50
million users ^[1]
and that as a precaution, the company reset access tokens for
nearly 90 million Facebook users.

We covered a
story ^[2] yesterday based upon the
information available at that time.

Facebook Hack: 10 Important Updates You Need To Know About

However, in a conference call [Transcript 1 ^[3], Transcript 2 ^[4]] with reporters,
Facebook vice president of product Guy Rosen shared a few more
details of the terrible breach, which is believed to be the most
significant security blunder in Facebook’s history.
Here’s below we have briefed the new developments in the Facebook
data breach incident that you need to know about:

1.) Facebook Detected Breach After Noticing Unusual Traffic
Spike — Earlier this week, Facebook security team noticed an
unusual traffic spike on its servers, which when investigated
revealed a massive cyber attack, that had been ongoing since 16
September, aimed at stealing data of millions of Facebook
users.

2.) Hackers Exploited Total 3 Facebook Vulnerabilities —
The hack was accomplished using three distinct bugs of Facebook in
combination.

The first bug incorrectly offered users a video uploading option
within certain posts that enables people to wish their friends
‘Happy Birthday,’ when accessed on “View As” page.

The second bug was in the video uploader that incorrectly
generated an access token that had permission to log into the
Facebook mobile app, which is otherwise not allowed.

The third bug was that the generated access token was not for
you as the viewer, but for the user that you were looking up,
giving attackers an opportunity to steal the keys to access an
account of the person they were simulating.

3.) Hackers Stole Secret Access Tokens for 50 Million
Accounts — The attackers walked away with secret access tokens
for as many as 50 million Facebook users, which could then be used
to take over accounts.

Access Tokens “are the equivalent of digital keys that keep
people logged in to Facebook, so they don’t need to re-enter their
password every time they use the app.”

4.) Your Facebook Account Password Has Not Been Compromised,
But, Wait! — The good news is that the attack did not reveal
your Facebook account passwords, but here’s the bad news — it’s not
even required.

An application or an attacker can use millions of secret access
tokens to programmatically fetch information from each account
using an API, without actually having your password or two-factor
authentication code.

5.) Hackers Downloaded Users’ Private Information Using
Facebook API — Although it is not clear how many accounts and
what personal information was accessed by hackers before Facebook
detected the incident, the year-old vulnerabilities had left all
your personal information, private messages, photos and videos wide
open for hackers.

“Since we’ve only just started our investigation, we have yet to
determine whether these accounts were misused or any information
accessed,” the company said.

6.) Your “Logged in as Facebook” Accounts at 3rd-Party
Apps/Websites Are At Risk — Since secret tokens enabled
attackers to access accounts as the account holder themselves, it
could have allowed them to access other third-party apps that were
using Facebook login — a feature that lets you sign up for, and log
in to, other online services using your Facebook credentials.

7.) Facebook Reset Access Tokens for 90 Million Accounts
— In response to the massive breach, Facebook reset access tokens
for nearly 50 million affected Facebook accounts and an additional
40 million accounts, as a precaution. This means that nearly 90
Million Facebook users were logged out of their accounts on
Friday.

8.) Check Active Sessions on Facebook to Find If Your Account
Have Been Hacked — Many Facebook users have noticed unknown IP
addresses from foreign locations that apparently had accessed their
account unauthorizedly.

You can head on to “Account Settings → Security and Login →
Where You’re Logged In” to review the list of devices and their
location that have accessed your Facebook account.

If you found any suspicious session that you never logged in,
you can revoke back the access in just one click.

9.) Breach Isn’t Connected to the Hacker Who Pledged to
Delete Zuckerberg’s Personal Page — Earlier this week, a
Taiwanese hacker, Chang Chi-Yuang, claimed that he would
demonstrate a critical zero-day vulnerability in Facebook by
broadcasting himself hacking Mark Zuckerberg’s Facebook page on
Sunday.

However, it is not clear whether the latest Facebook breach has
anything to do with Chang’s hack, at least Facebook does not
believe so.

Besides this, Chang Chi-Yuang Today says he canceled the stream
and reported the bug to Facebook.

10.) Facebook Faces Class-Action Lawsuit Over The Massive
Hack — Just after the news of the breach went public, two
residents, Carla Echavarria from California and another from
Virginia, filed ^[5]
a class-action complaint against the social media giant in US
District Court for the Northern District of California.

Both allege that Facebook failed to protect their and additional
potential class members data from going into wrong hands due to its
lack of proper
security practices ^[6].

The social media giant has already been facing criticism on
handling of user data and its privacy policies in the wake of the
Cambridge Analytica
scandal, in which personal data of 87 million Facebook users
was sold to and misused by a data-mining firm
without their consent.
^[7]^[8]

Facebook has already reset account logins for tens of millions of
users and is also advising affected users who had Instagram or
Oculus accounts linked to their Facebook account to de-link and
than link those accounts again so that the access tokens can be
changed.

The vulnerabilities exploited by the hackers are fixed, and
Facebook is working with the FBI to investigate the security
incident, which has impacted approximately 2.5% of Facebook users
of its over 2 billion user base.

Since the investigation is still in the early stages, Facebook
has yet to determine whether the attackers misused the stolen
access tokens for 50 million accounts or if any information was
accessed.

References

^{^}
steal data from 50 million users
(thehackernews.com)
^{^}
covered a story
(thehackernews.com)
^{^}
Transcript 1
(fbnewsroomus.files.wordpress.com)
^{^}
Transcript 2
(fbnewsroomus.files.wordpress.com)
^{^}
filed
(www.scribd.com)
^{^}
lack of proper security practices
(thehackernews.com)
^{^}
Cambridge Analytica scandal
(thehackernews.com)
^{^}
data-mining firm without their
consent (thehackernews.com)

The Hacker News Headlines

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Aug 18, 2023

The Hacker News Headlines

Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions

Aug 18, 2023

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Facebook Hacked — 10 Important Updates You Need To Know About

Facebook Hack: 10 Important Updates You Need To Know About

References

Related Post

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

You missed

Setting up a Kali Linux USB drive with persistence is a great way to have a portable and customized security testing environment. This allows you to save files, configurations, and installed tools across reboots.

Windows Subsystem for Linux (WSL): A Technical Overview

Protected: VPNs and Netlimiter

Security Information and Event Management (SIEM) systems what are they give the top ten real world examples free open source and proprietary