Posted by Taylor Armerding on September 28, 2018
Facebook CEO Mark Zuckerberg has had to use variations of the word “serious” a lot over the past year—most notoriously regarding the social media giant’s sale of member data to Cambridge Analytica, which was viewed as affecting the 2016 presidential election.
He had to use it again, and not in a good way, on Friday when the company announced that at least 50 million, and possibly as many as 90 million, accounts had been compromised by hackers exploiting a zero-day flaw in code related to Facebook’s “View As” feature, which lets users see what their profiles look like to others. The idea is to let users control what other people can see.
“This is a really serious security issue and we’re taking it really seriously,” Zuckerberg told reporters on a media call.
In other words, the accounts of those who have used the “View As” feature since July 2017 should probably be “viewed as” hacked.
The vulnerability allowed hackers to steal Facebook access tokens, which they could use to take over people’s accounts.
Those tokens amount to digital keys that keep people logged into Facebook so they don’t need to re-enter their password every time they use the app. Which is another example showing that in some cases, convenience comes at a cost.
It also means those whose accounts were compromised need to worry about more than just their Facebook accounts. Tim Mackey, technical evangelist with Synopsys, noted, “It’s worth highlighting that access tokens are the equivalent of a username and password combination used by applications to authenticate against other applications.
“If you’ve ever used a Facebook login button on a website, now would be an excellent time to review your App Settings, to see which applications and games you’ve granted access rights to within Facebook,” he said.
The details of the breach so far are sketchy, since virtually all of them are coming from Facebook itself, which is in the “early stages” of an investigation that began after the discovery on Sept. 25. But here are the fundamentals, laid out in a blog post by Guy Rosen, vice president of product management:
As a percentage of Facebook users, the scope of the breach isn’t all that significant. Out of roughly 2 billion total users, 50 million is only 2.5%. Even if all 90 million potentially breached accounts were affected, that’s just 4.5%.
But it prompted Sen. Mark Warner, D-Va., co-chair of the Senate Cybersecurity Caucus, to call for a full congressional investigation of the incident. In a statement to Gizmodo, he noted the “dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.”
And Gary McGraw, vice president of security technology at Synopsys, noted that this breach is just one in a seemingly unending string of them that are enabled by insecure software.
“Another day, another software problem that leads to security disaster,” he said.
“Getting software security right is difficult, but not impossible. This breach emphasizes just how important software security is, and how subtle solid security engineering can be.
“When a feature like ‘View As’ can be turned on its head into an exploit, it indicates a design problem. Design flaws like this lurk in the mind-boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built,” he said.
Get the latest Software Integrity news, thought leadership, and more.