Another Facebook Security Breach

Introduction

Facebook admitted on Friday to a security breach, allegedly abused by an unknown attacker, exposing account data from at least 50 million users. The Company, which has more than ca. 2.2 billion monthly accounts, is battling to regain trust from users after numerous incidents leading to the exposure of customer’s data. The incident comes at a time of significant trouble for social media companies, facing rising criticism over issues including foreign election interference, the flow of disinformation, hate speech, and privacy. As a result, some experts and officials have expressed concerns about whether social media firms can effectively manage and protect users' data. This cybersecurity Info Note reviews the recent data breach incident with Facebook platform, while the investigation is still ongoing.

Contextual Information

Facebook disclosed that at least 50 million users’ data are confirmed at risk after attackers allegedly exploited a vulnerability that allowed them access to personal data. According to the Company CEO Mark Zuckerberg, the vulnerability was fixed and a response has been immediately disseminated. The Company initial review suggests the attack was broad in nature, saying it has yet to determine whether the attacker misused any accounts or stole private information. The investigation was not able to identify any attacker’s location or whether specific victims were targeted. The Company reported that it has not seen any accounts compromised — although it is still in early investigation state.

The Company reported that is working with the Federal Bureau of Investigation (FBI) to conduct further investigations into the incident, notified the Department of Homeland Security, Congressional aides and the Data Protection Commission in Ireland, the EU Member State where the company has European headquarters.

This is not the first time that Facebook discloses software flaws - In 2013, Facebook disclosed flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year. A technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.

Technical information on the vulnerability and attack

Facebook disclosed that an external actor attacked their systems and exploited a vulnerability that exposed its software access tokens for user’s accounts in HTML, when a particular component is rendered of the “View As” feature.

The vulnerability - unknown to Facebook until last Friday - resulted from the interaction of three distinct software flaws, introduced in the platform back in July 2017, into its video uploader:

• “View As” is a privacy feature that lets users see how their own profile looks like to someone else. The “View As” functionality, designed as a view-only interface, for one type of composer (the box that lets users post content to Facebook) — specifically the version that enables people to wish their friends happy birthday —incorrectly provided the opportunity to post a video.
• A new version of a video uploader (the interface that would be presented as a result of the flaw previously described), introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.
• When the video uploader appeared as part of “View As”, it generated the access token not for the user as the viewer, but for the one being looked-up.

The attack, materialized through the theft of “access tokens”, uses a security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login. On a positive note, tokens do not store user’s password so there is no need to change it.

According to the Company, the attackers were using Facebook developer APIs to obtain personal information, like “name, gender, and hometowns”, linked to a user’s profile page.

Measures taken by Facebook in response to the incident

• Facebook says it fixed the vulnerability on September 27, and then began resetting the access tokens of people to protect the security of their accounts.
• As many as 90 million users were logged-out from their accounts – from phones or computers - and required to log back in as a security measure.
• The company plans to identify relevant users and notify those whose accounts were affected.
• Facebook said that it’s not yet sure if Instagram accounts are affected, but were automatically secured once access tokens were revoked.

Incident reviewed under the EU General Data Protection Regulation

The Facebook security breach has led to the compromise of personal accounts of Facebook users, thus, qualifying as a personal data breach under the General Data Protection Regulation (GDRP)[1]. According to the GDPR, data controllers shall notify a personal data breach to the competent Data Protection Authority (DPA) within 72 hours after having become aware of the breach. This report should provide information about the nature of the breach, its likely consequences and relevant mitigation measures. When the risk of the breach for the persons affected is high, the controllers also need to inform these persons without undue delay. Furthermore, Facebook reportedly notified the Irish DPA, without, however, providing any details on the nature of the breach, the level of risk and the affected EU users. Facebook also said that it reset the access tokens of nearly 90 million users and notified them of the breach, while temporarily turning off the feature that caused the vulnerability.

Considerations on the disclosure

• The Irish DPC was critical in its initial response to the breach, tweeting: “At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters.”
• Facebook said that it looks unlikely that private messages were accessed, no credit card information was taken in the breach or made posts on users’ behalf.

If Facebook is found to have breached European data protection rules — under the newly implemented GDPR — the company can face fines of up to four percent of its global revenue. FTC Commissioner also tweeted that “I want answers” regarding the Facebook incident.

Recommendations

ENISA published an Info Note early this year reviewing “The Value of Personal Online Data” and issued recommendations that are still valid today. In particular to this incident:

• Facebook already cancelled the access tokens for all users affected. However, users are advised to change passwords regularly and activating the two-factor authentication.
• Users should delete sensitive personal information shared, reducing the risk of exposure in future attacks.
• Users should avoid sharing sensitive information in social media platforms and associated services.
• Users should check if accounts were improperly accessed using the platform. Once users log back into their Facebook accounts, they can go to account security, which presents from where the account was logged-in.
• Users should regularly review their account login activity. Facebook security page allows users to review which devices are logged-in to the account and where those devices are located. The page also has an option to force a simultaneous logout of all devices connected to the account.
• Users should clean the cookies from all browsers and devices used to access Facebook and its related services.
• Follow the advice from trusted sources such as national CSIRTs.

Recommendations for data carer’s organizations victims of a data breach incident:

• As soon as the breach is discovered and its potential impact is assessed, inform the DPO, relevant EU DPA and CSIRTs Network[2] members.
• Assess the potential impact of the breach.
• Coordinate with law enforcement authorities making sure that no possible evidence of any crimes are deleted by mistake.
• Create a crisis communication team and establish a communication channel to report back to stakeholders and users, in a timely manner.
• Define a crisis communication plan.
• Keep account owners constantly updated and provide effective countermeasures.
• After the incident, use it as an opportunity to do awareness raising within the team.

Closing Remarks

While Facebook and law enforcement agencies investigate the incident, many questions are popping out on the real intention behind this attack. Firstly: what type of advantage perpetrators took from accessing users account details for more than a year? Secondly: Why perpetrators did not opt to collect the rewards from Facebook “bug bounty” program by disclosing the vulnerabilities? Lastly: What type of results perpetrators aimed to achieve?

Until the situation becomes clear, the work of national CSIRTs is key in this process. An effective response is prepared at the national level to deal with the preparedness and later impact from this type of incidents.

As breaches are more common, users may become desensitized or complacent at worst. Organizations should be held accountable for privacy failures even when the damage done is unclear. Users are growing accustomed to letting out a deep sigh and moving on with their lives. The ones that people will definitely remember are the ones that can potentially threaten both within the digital world and in their offline lives.