LEWIS JOLY/VIVA TECHNOLOG/SIPA/Newscom
Facebook has had a rough year. The social media giant has been castigated for everything from sneaky data policies to "shadow profiles," political bias, the election of Donald Trump, and even a genocide in Myanmar. Some of these criticisms hold more water than others. But last month, Mark Zuckerberg and company bungled up their business in a pretty straightforward way: They suffered their worst hack yet.
Some 50 million accounts are known to have been affected by the vulnerability, which had reportedly existed since July of 2017 before being discovered on Sept. 25 and publicized three days later. Another 40 million accounts were thought to possibly be at risk, so the company made a firm decision to lock all 90 million users from their profiles while they made the necessary fixes.
You may have noticed a special message from Facebook about privacy and security the week that this happened: This means that your account could have been affected. The mechanism involved what's called Facebook Connect, which is a "single sign-on" (SSO) that allows you to use your Facebook account as a way to access other websites.
The attackers apparently combined three separate zero day—or unknown—vulnerabilities to gain access to user accounts.
Here's how it worked: Facebook users have the ability to see what their profile looks like to other users—like a friend, or a friend of a friend, or just a random stranger. This is called the "View As" feature, and it was ironically first created to give users more of a feeling that they were in control of their data.
Hackers first exploited a bug that made the "View As" feature appear as a video upload tool (like those weird "Year in Review" videos that the platform periodically auto-generates). Then they manipulated the uploader to generate an access token, which is what Facebook Connect uses to allow you to access other websites. Finally, the hackers were able to pivot and gather access tokens for other users connected to that account (who you would be "viewing as").
If the hack sounds complicated, it's because it is. (And some hoaxsters have taken to sowing more confusion in its wake by tricking people into thinking their accounts have been compromised.) Information security experts surmise that the attackers must have been a very sophisticated actor to pull something like this off. Perhaps it was a nation-backed actor, or some other well-heeled mercenary group. Maybe it was just an exceptionally talented 400-pound bedbound hacker. Whatever the case, attackers this sophisticated are usually equally good at covering their tracks. As Facebook vice president Guy Rosen told reporters, they may "never know" who is responsible.
This was obviously huge news, not least because so many people have come to rely on Facebook to dispel boredom and enjoy digital camaraderie throughout their days. Facebook is a huge and well-capitalized company. Users share so much data with Facebook in part because they expect that it will prioritize security. And Facebook indeed employs scores of very talented engineers.
But the centrality of Facebook is precisely why hacks like these such an omnipresent and dangerous threat.
The bigger the company, the bigger the target. The greater the data infrastructure, the more potential vulnerabilities there are to proactively defend against. Paradoxically, the great trust the people place in Facebook to be a secure platform to share their lives is precisely what makes it such a tantalizing target. Furthermore, larger platforms have greater potential for security vulnerabilities by sheer virtue of their size and complexity. Facebook and companies like it (The Wall Street Journal just reported that Google+ also suffered a recent breach) are placed in the impossible position of providing divine security for a population that is conditioned to not worry about these things too much.
This becomes so much worse when you consider the spillover effects of this case. While the final carnage is being assessed, it is possible that the contagion will spread to websites that used Facebook as a SSO option.
Think about all of the websites that you have connected to your Facebook account. If you were affected by the account token vulnerability, then the other websites that use Facebook Connect may also be vulnerable, as the New York Times reported.
This is a concerning prospect indeed, and it's a good idea for affected Facebook users to keep an eye on communications from connected apps and websites to see whether or not the rot has spread.
Maybe Facebook could have done more to protect against this particular hack. Or maybe not. Security professionals are not gods, and the hacking risks will always outstrip firms' resources to protect against them.
Finger-wagging and legislation can only do so much. Really, we should think more about the centralized infrastructure of our Internet experience that makes breaches like these an omnipresent and high-stakes threat.
There is no technical reason that many of the most popular user-facing web services—platforms like Facebook and Twitter—need to necessarily be run as a single, central, for-profit entity. They can be arranged like a protocol more like email, where there is a diverse array of service providers tailored to one's own preferences from which to choose. This doesn't mean that hacking risks would go away. But it would at least decentralize the threat points, and therefore lower the risks to the overall infrastructure.
The Facebook hack yet again illustrates an important security maxim of our digital age: Trusted third parties are security holes. To the extent that we can limit our reliance on mega-centralized platforms like Facebook, the better the resilience of our overall security posture will be.
Comments