“Very creative” breach involving chain of three distinctive bugs
With the dust beginning to settle on a colossal security breach at Facebook, disclosed Friday and affecting up to 90 million, including the company’s CEO Mark Zuckerberg and COO Sheryl Sandberg’s accounts, here’s what we know thus far.
Facebook Hack: “The Interaction of Three Distinct Bugs”
The breach was the result of the interaction of three distinct bugs, leading to an attack that was then rapidly automated to compromise the number of accounts affected. It was described by one leading Facebook bug finder as “very creative”.
The three bugs were as follows:
Bug 1: In the “composer” that enables people to wish their friends happy birthday, the “View As” feature incorrectly provided the opportunity to post a video.
Bug 2: The interface presented as a result of this initial bug then incorrectly generated an access token that had the permissions of the Facebook mobile app.
Bug 3: When the video uploader appeared as part of “View As”, it generated the access token not for the viewer, but for the user that they were looking up.
Facebook Hack Identified After User Activity “Spike”
Facebook identified the breach after spotting a “spike” in user activity on Tuesday. (Having identified the initial chain of bugs, the as-yet unknown hackers were using the site’s API to automate account breaches.)
Facebook’s VP Engineering, Security and Privacy, Pedro Canahuati, said: “It was the combination of these three bugs that became a vulnerability… That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.”
He added: “The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”
The same team that combined those three bugs on the Facebook app to steal fifty million account tokens are going after your app too, is what I would tell someone thinking of saving money by doing a bug bounty instead of a pen test 😉
— daveaitel (@daveaitel) September 30, 2018
Speculation About The Hackers
David Atkinson, Founder of Senseon and a former Ministry of Defence cybersecurity expert, told Computer Business Review: “Facebook relies on extensive bug testing and white hat hackers to find vulnerabilities within their applications, but in this case the community did not identify these vulnerabilities. Yet the entry point of the attack has been publicly available for some time.”
He added: “What I would conclude from this is that the attack was carried out by an advanced group or likely nation state, who have the resources to constantly sweep massive and therefore attractive targets, like Facebook to spot vulnerabilities. With the mid-term elections around the corner, it is not a huge leap to think that the motivation behind this attack could be political.”
Over the weekend, however, a prolific Taiwanese hacker abandoned plans to livestream deleting Mark Zuckerberg’s Facebook account. Chang Chi-yuan had announced in a Facebook post on Wednesday that he would target the Facebook CEO.
His threat was first spotted by Bloomberg. He did not provide further details about how he would achieve his aim. Two days later the vulnerability was disclosed. He has since deleted his account.
Facebook Bug Bounty Programme
Last year Facebook received more than 12,000 vulnerability reports from security researchers, of which approximately 400 ended up being considered valid bugs: a 3.33 percent hit rate for people actively trying to find issues in its code base.
The company has run a popular bug bounty programme since 2011 – paying out over $6 million for vulnerabilities thus far. Just a week earlier, on September 17, the company broadened its programme, announcing that it would now also accept reports about vulnerabilities in third-party apps and services that connect to Facebook user accounts.
The company is meanwhile now facing a class-action complaint filed on behalf of California resident, Carla Echavarria, and Virginia resident, Derick Walker.
Both allege that Facebook’s lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach. The lawsuit was filed today in US District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California’s Customer Records Act.
The UK’s ICO said: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”