The Facebook Breach: A Design Flaw And A Wake-Up Call

The recent Facebook breach which attacked 50 million accounts should be a wake-up call for the industry, according to security experts commenting on the security issue which Facebook discovered on September 25.

Facebook has temporarily taken down the feature that had the security vulnerability. The feature is called “View As” and it’s a privacy tool to let you see how your own profile would look to other people.

“The revelations coming out of Facebook should be a wake-up call for the industry – abiding by the status quo of security is simply not an option,” remarked Sanjay Aurora, Managing Director, Asia Pacific, Darktrace. “If Facebook can be breached, we have to assume that all organizations either have been breached or will be soon.”

Aurora noted that in order to bypass Facebook’s security controls without raising alarm bells, this attack would have had to be complex, sophisticated, and stealthy.

“Complex attacks have many moving parts that often appear as individual, subtle anomalies hiding within the noise of the network. Attacks like this will only continue to threaten our organizations, and we have to assume that it will only get harder and harder to detect,” said Aurora.

Joanne Wong, Senior Regional Director for Asia Pacific & Japan at LogRhythm, noted that the vulnerability was introduced to the site since July last year and Facebook is not sure right now when the attacks began.

“They only noticed it earlier this month so it could mean that the attackers may have had access to data of millions of accounts for a long time. Again, this highlights the need for reduction in time to detect and mitigate a threat,” said Wong. ‘The view-as feature is essentially a light version of account impersonation. While well-intentioned, the feature is difficult to implement programmatically, in that you are viewing your account as another individual.”

Measures Facebook has taken

In a post on Facebook, Mark Zuckerberg shared that “an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook. We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”

Zuckerberg went on to say that they’ve already taken a number of steps to address this issue. The company has invalidated the access tokens for the accounts of the 50 million people who were affected – causing them to be logged out, according to Zuckerberg. Those affected will have to log back in to access their accounts again.

“As a precautionary measure, even though we believe we’ve fixed the issue, we’re temporarily taking down the feature that had the security vulnerability until we can fully investigate it and make sure there are no other security issues with it. The feature is called “View As” and it’s a privacy tool to let you see how your own profile would look to other people,” wrote Zuckerberg.

As an additional precautionary measure, the company is also logging out everyone who used the View As feature since the vulnerability was introduced. This will require another 40 million people or more to log back into their accounts.

“We do not currently have any evidence that suggests these accounts have been compromised, but we’re taking this step as a precautionary measure,” said Zuckerberg.

Design flaw

In a statement issued to the press, Dr. Gary McGraw, Vice President of Security Technology, Synopsys (Software Integrity Group), noted that the breach emphasizes just how important software security is, and how subtle solid security engineering can be.

“When a feature like “View As” can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability.  Design flaws like this lurk in the mind boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built,” said McGraw.

While it is early in the investigation, the Facebook network breach shows how important an incident response plan is, according to Tim Mackey, Technology Evangelist, Synopsys (Software Integrity Group).

“In this case, the incident response includes information surrounding access tokens. Because this issue impacted “access tokens”, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications. If you’ve ever used a Facebook login button on a website, now would be an excellent for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook,” said Mackey.

Endless incentives for cybercriminals

Darktrace’s Aurora says that every single organization needs to take a hard look at how they are protecting their sensitive data, where they are investing their money, and what technologies they are using for defense and response.

“While we may never understand the attacker’s motivations, it is important to realize that incentives are endless in this new era of cyber warfare. With upcoming U.S. elections around the corner, it would be remiss not to consider the possibility of nation-state actors with political motives. However, this attack also comes at a time where Facebook is under scrutiny by privacy activists and anti-censorship advocates, indicating that the attack might be an example of hacktivism.”

Aurora further said that it is during security incidents where technologies rooted in artificial intelligence will be paramount.

“AI is capable of sifting through large amounts of data and lines of code to identify these subtle patterns, and what’s more, it is intelligent enough to determine how to contain the threat as it’s emerging in real time. We live our lives in a maze of interconnectivity, and the more we connect, the more risk we adopt into our lives and networks. It has never been more crucial to adopt AI as the core component of every security strategy – we can’t keep fighting the battle on our own.” 

Always assume information may be made public

As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms.

“In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter,” said Sophos Principal Research Scientist, Chester Wisniewski.

“For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”

A gold mine to threat actors

Facebook has access to the personal information of billions of people; a relative gold mine to threat actors and consumers alike. When you’re entrusted with billions of personal records, on your flagship platform, the security of your software must be paramount.

“We face constant attacks from people who want to take over accounts or steal information around the world. While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place. If you’ve forgotten your password or are having trouble logging in, you can access your account through the Help Center,” said Zuckerberg. – Networks Asia