Facebook on Friday said a on the social network.
The vulnerability stemmed from Facebook's "view as" feature, which lets people see what their profiles look like to other people. Attackers exploited code associated with the feature that allowed them to steal "access tokens" that could be used to take over people's accounts.
While access tokens aren't your password, they allow people to log in to accounts without needing it. Facebook also said later Friday that the breach also affected third-party apps that you have linked to your Facebook account, including Instagram. As a precautionary measure, Facebook logged about 90 million people out of their accounts, the company said.
The social network said it discovered the attack earlier this week. The company has informed the FBI and the Irish Data Protection Commission. Facebook said the investigation is in the early stages and it doesn't yet know who was behind the attacks.
"This is a really serious security issue," CEO Mark Zuckerberg said on a conference call with reporters Friday. "This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort."
The news comes as Facebook has been under intense scrutiny for its ability to keep the data of its more than 2 billion users safe. The company is still reeling from its Cambridge Analytica scandal in March, in which a UK-based digital consultancy harvested the personal information of 87 million Facebook users.
The vulnerability disclosed on Friday came from a change issued in July 2017, when Facebook pushed a feature that prompted people to upload "Happy Birthday" videos, Facebook vice president of product management said on the call. The company is still investigating the attack, and Because it was access tokens stolen and not passwords, Facebook said that affected users don't need to change their security settings, including their passwords.
But when hackers viewed a Facebook profile as another user, sometimes the tool for posting a birthday video would appear. That shouldn't have happened, but did at times because of a bug, according to Facebook. Then, because of yet another bug affecting the video tool, hackers were able to generate an access token for the targeted user, giving them access to the user's account.
With the access token, hackers had control over the user's account. They could then "pivot," Rosen said, and view their victim's account as yet another user. Then they would repeat the process and generate an access token for that user, too.
The hackers were able to dramatically scale up this multi-step attack, so much so that Facebook noticed an unusual spike in user activity in Septermber and began investigating, Rosen said.
Fatemeh Khatibloo, an analyst at Forrester who focuses on consumer privacy, said in an email that it appeared Facebook had contained the damage from the breach at an early stage. She added that users probably heard about it sooner than they would have since new privacy regulations came into effect in the European Union earlier this year. The Regulationrequires companies to tell users about a data breach no more than 72 hours after learning of it themselves.
"GDPR has forced [Facebook]'s hand in reporting the breach much earlier than they perhaps would have liked, and before they understand the full scope," Khatibloo said.
Debra Farber, senior director of privacy strategy at tech firm BigID, said the increased speed in reporting data breaches will have a positive long-term effect for the company. "It may not be today or tomorrow, but such actions are sure to engender significantly more trust," she said. BigID helps companies comply with privacy regulations.
The breach has also led to more criticism from lawmakers, who have already discussed introducing regulation to rein in big tech companies.
"A full investigation should be swiftly conducted and made public so that we can understand more about what happened," Sen. Mark Warner, a Democrat from Virginia, said in a statement. "Today's disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures."
As news spread of the data breach Friday, Facebook's own platform blocked users from posting two articles about the hacking attack. One article was by the Guardian and the other was by the AP. Facebook confirmed that its system was blocking the articles, saying it was an error. "We fixed the issue as soon as we were made aware of it, and people should be able to share both articles," the company said in a statement. "We apologize for the inconvenience."
Facebook has been without a chief security officer since Alex Stamos in August to teach and do research at Stanford University. His departure took place during a larger reorganization of the company's security team that was ongoing when the cybersecurity attack began.
source : Tech Radar
No comments:
Post a Comment