On 25th September 2018, the biggest breach in history of Facebook was discovered by its engineers. This was severe because attackers stole access tokens for about 50 million users. The access tokens is a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Using this token, attackers can take full control over victim’s account including logging into third party applications that use Facebook Login.
The company said that it began an investigation after discovering unusual activity on 16 September 2018 and found the breach. The vulnerability was patched on 27th September, 2018. The stolen access tokens were reset to protect the user accounts. The attackers exploited vulnerability in “View As ” feature in Facebook to steal the tokens. This feature is suspended from Facebook currently.
Below is some technical analysis and lessons that we can learn from the incident. More details can be found on Facebook’s official blog.
This is a classic example where application level bugs can lead to a very serious breach. As mentioned in Facebook’s official blog, this vulnerability was caused due to three bugs combined together.
View As is a feature that lets people see how their profile would appear to others. This was supposed to be a view only interface but in one of the component, this had edit capability which allowed user to post a video. The “Principal of Least Privilege” was violated here.
The video uploader generated access token when it should not have.
The view as token was wrongly generated. The token should have been a “view-as” or impersonation token instead of regular access token for the user. This was an incorrect implementation of impersonation and again violated the “Principal of Least Privilege”. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.
This leads to an interesting point. A software weakness or bug may not appear to be severe in current scenario but may turn out to be a critical vulnerability in future. Very often when multiple small teams work on different features or components, the integration or reuse can introduce weakness like this. So its very important to take a holistic approach towards security considering all the components and all attack surfaces.
A couple of more points to consider here.
Facebook tokens are used by several third party sites for login purpose. The attackers who stole the access tokens can use these to access token to access the sites. Through Facebook said that they did not find any case of the stolen access tokens used in third party apps or sites, it would be a safe practice to logout and re-login to third party sites if you have used Facebook to login earlier.
This breach leaked the personal information for users through access token. Since they may involve EU users as well, Facebook may face penalty as per GDPR. More details is available at GDPR .
Companies like Google and Facebook are always a big target for attackers so there is less scope of errors. In this case the attack was not straight forward and it required exploiting multiple bugs and yet its was done successfully. I suppose these companies are trying hard to secure their users but practically speaking, these types of errors can happen. Its also important to follow secure practices as a user or company who leverage services from Facebook and Google. As a user, one should logout and re-login from any site where you have logged in using Facebook and make a habit of explicitly logging out of your session from any site rather than depending on expiring session by the site. As a site owner, if you support login using Google or Facebook, you should not use long session validity time.
Be aware, be safe online !