It shouldn’t come as a surprise that Facebook is having more issues. It was revealed recently that there was another security incident that possibly affected 90 million users. In previous scandals, malicious hackers used legitimate features of the Facebook app and APIs for their own nefarious reasons. But this hack was different. It involved a security flaw that allowed hackers to highjack user accounts. Meaning, someone could have gotten directly into your account without you knowing. Should this come as a surprise to anyone? I mean, we are living in the age where this seems to happen quite frequently. Take Equifax for example. They gave away the sensitive financial information of 143 million customers in a massive data breach. And before that was the mammoth 3-billion account hack of Yahoo.
Every time something like this happens, it’s an opportunity for these companies (and us) to learn from our past mistakes in order to come up with solutions for the future. That’s what my therapist is always telling me so why is it that Facebook still can’t learn from both their mistakes as well as the mistakes of others? This incident tells us quite a bit about the general vulnerabilities of our current user authentication methods. This is how users are given unlimited access after they sign into their accounts. Unless someone fixes this method, more incidents are going to happen at other online services that are used every single day.
So how did this happen? Facebook first discovered this in the “View as” section, a feature that allows you to check your privacy settings by verifying what kind of information and posts other users can see when they visit your profile. The hack involved three separate flaws, which generated an “access token” and embedded the token into the HTML response that it returns when you use the “view as” feature. Access tokens are pieces of data that are generated when you sign into an application with your credentials. The token remains valid until you sign out and lets the application server verify your identity.
The problem is that the flaw generated a token for the user you chose to view your profile as. What does this mean? Anyone could use the feature to generate an access token for another user and gain access to their account. This vulnerability has existed for over a year, and Facebook only found out about it after it detected an influx of suspicious activity. This was likely due to an application using Facebook’s APIs to automate the process of generating access tokens.
So what’s the big deal? Well, to start, Facebook seems to be giving away access to users accounts. Maybe not intentionally, but the mechanism is in place that allows this to happen. Further, this isn’t the first time that we’ve seen this. And based on my previous posts, this will definitely not be the last. It’s almost like Facebook wants to be seen poorly by the general public because they keep letting these things happen – over and over again. Regardless, I don’t think this is the end, so stay tuned for the next Facebook screw up.