FIFTY million users needed to be logged out by force, and an additional 40 million for good measure, because Facebook was hacked. By the time you’ve read this, you might have heard already about it.
Anyway, 50 million users were directly affected when a vulnerability in Facebook’s “View As...” option was exploited. How it was exploited? Forbes published a report about it after talking to Thomas Shadwell, a “professional web app hacker and cybersecurity researcher.”
Read on below for Thomas Shadwell’s hypothesis on how the hack was done. It’s a bit of a long read but it’s worth knowing.
The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you're holding them you can use them, there's no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.
To get those keys, the hackers abused a feature in Facebook called “View As.” It allows any user to see what another can access on their profile. For instance, if you’ve blocked your dad from looking at your photos, you can check it’s working by effectively impersonating your father and viewing your profile.
“It looks like when Facebook built the View As feature, they did this by making it a modification of how Facebook would work if actually viewed by that other user,” said Shadwell. “Which of course means if there's a mistake they might end up sending the impersonated user's credentials to the user of the 'View As' feature.”
This is where things get a bit weirder. If a user, via View As, impersonated a friend who themselves had a friend who had a birthday, the feature would also show a box prompting them to post a “happy birthday” video. Thanks to an error made by Facebook in July 2017, the video provided the user with one of those precious tokens, Shadwell said. More specifically, the video player generated and sent the user a token, one that would log them into the Facebook mobile app as if they were the person they were impersonating via View As. From there, the user (in this case a malicious hacker) would have total access over that other person’s account.
Facebook did post a security update regarding the hack and explained in detail what happened and what they did.
But the question still remains -- is Facebook still someone whom we can all trust with a lot of our personal information? If you’ve noticed, I’ve been veering away from the social media giant as of late. Honestly, these things with Facebook doesn’t really inspire confidence in me. Sure, I may have not been affected by this recent hack but that’s just me being lucky. What if my account was indeed compromised? Come to think of it, it could have been and I just didn’t know it. Although, I haven’t received any notification for me to input my pin as part of my 2FA protocol. That’s a bit of a relief. But what about those 50 million users who were directly affected? Did they have 2FA enabled for their accounts? Do they know any better when it comes to securing their accounts as best as it can be? I hope so. Because if not, that hack could let those hackers into their Tinder, Spotify and Instagram accounts. If you’re still not scared and bothered by this, I’m not sure that to think of that anymore.
If you ask me, I think it’s high time to look for alternatives. I’m trying out one right now -- Vero. There’s also Openbook but they’re still not officially launched yet. In fact, their alpha testing begins next year, 2019, on March 15. I’m excited about this actually. Hopefully, it turns out well.