Horror Stories: Facebook Fallout

by Sarah Harvey / October 9th, 2018

In late September, Facebook gave a new security update, outlining a breach that has impacted 50 million users – Facebook’s largest breach ever. The social network has been under intense scrutiny this year after the Cambridge Analytica scandal and has been redirecting their security team since the departure of their chief security officer, Alex Stamos. With the midterm elections coming up, this massive breach couldn’t have come at a worse time for Facebook. Users, regulators, lawmakers, and competitors are watching to see how Facebook improves the way it handles the private data of its users and how the social network giant handles this latest breach. Many believe it is time for the government to step in, and others are focusing on the GDPR implications of this breach.

Facebook’s Largest Breach: What Happened?

Even this early on in the investigation, Facebook knows that the attack stemmed from the “View As” feature, which impacted access tokens. Specifically, hackers exploited a combination of three bugs: one in a post composer for birthday posts, one in a new version of a video uploader, and one when using the “View As” feature in conjunction with the video uploader. In their security update, Facebook reported, “When using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user. The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”

If you've been logged out of your account and asked to sign back in, it’s because we've discovered a security issue and are taking immediate action to protect people on Facebook. Learn more https://t.co/XLcHGYFBu2

— Meta (@Meta) September 28, 2018

To quickly fix the vulnerability, Facebook reset the access tokens of the 50 million impacted accounts, plus reset another 40 million accounts as a precautionary measure. As a result, users had to log back into their account, then see a notification in their News Feed explaining the security incident. Facebook also switched off the “View As” feature during their security review. As the investigation continues, Facebook must provide transparency about three elements of this breach: if accounts or data were misused, who the attackers were, and if third-parties were impacted.

Facebook needs to clearly announce whether accounts were misused or if any private information was accessed during this breach. All we know so far is that the attackers retrieved basic profile information like name, gender, or hometown. Guy Rosen, vice president of product management at Facebook, explained in a press call, “…We don’t know exactly how – which and how – what information we will find has been used. What we’ve seen so far is that access tokens were not used to access things like private messages, or posts, or to post anything to these accounts and we’ll update as we learn more…what we also can confirm is that no credit card information has been taken. We do not display credit card information, even to account holders.”

The public also wants to know who these hackers are and who they’re supported by. Guy Rosen explained in a press call, “Given this investigation’s still early, we haven’t yet been able to determine if there’s specific targeting. It does seem broad and we don’t yet know who is behind these attacks or where there’s base – or where they might be based…The investigation is early, and it’s hard to determine exactly who was behind this, and we may never know. This is a complex interaction of multiple bugs that happened together. It did – it did need a certain level in order for the attacker to run this attack in a way that not only gets access tokens, but then pivots on those access tokens and continues to further – get further access tokens using this mechanism.”

Facebook must also investigate if any third-party services that use its single sign-on function were impacted by this breach. So far, Facebook hasn’t found evidence of third-parties becoming compromised. Thousands of companies use this identity provider function, like Spotify, Instagram, Airbnb, Pinterest, GoFundMe, Headspace, and others. Guy Rosen stated that WhatsApp users are not impacted by this breach, but Tinder has called on Facebook for transparency and full disclosure during their investigation to better support third-parties in their own investigations.

Midterm Elections, GDPR Implications, and Facebook’s Reputation

There seems to be two conversations surrounding Facebook’s latest breach: how this attack reflects Facebook’s preparation for the midterm elections and how this attack needs to be handled in terms of GDPR.

With the midterm elections coming up and the Cambridge Analytica scandal in the rearview, users, regulators, lawmakers, and competitors are watching to see how Facebook is protecting itself from election interference. In fact, two weeks before this breach, Mark Zuckerberg posted Preparing for Elections, a blog post addressing exactly that – Facebook’s defense against election interference. It calls for enforcement over fake accounts, the spreading of misinformation, and advertising transparency and verification. It also speaks of coordination with governments and industries across the globe. Zuckerberg wrote, “While we’ve made steady progress, we face sophisticated, well-funded adversaries. They won’t give up, and they will keep evolving. We need to constantly improve and stay one step ahead. This will take continued, heavy investment in security on our part, as well as close cooperation with governments, the tech industry, and security experts since no one institution can solve this on their own.”

In the wake of this latest breach, is Facebook’s defense plan enough?

With GDPR in mind, Facebook notified the FBI and the Irish Data Protection Commission of this breach. Many suspect that if not for the GDPR’s breach reporting requirements, Facebook wouldn’t have notified the public about this breach until there were more details about the scope of who was impacted and where the attack came from. From the Irish Data Protection Commission’s tweets, we can gather that they are not satisfied with the level of detail provided in Facebook’s breach report. Organizations worldwide need to recognize how strict GDPR’s breach reporting requirements are and what penalties they could face.

Facebook data breach. The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters. #dataprotection

— Data Protection Commission Ireland (@DPCIreland) September 28, 2018

.@DPCIreland is awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users. #dataprotection #GDPR #eudatap https://t.co/3oM3BSaSBS

— Data Protection Commission Ireland (@DPCIreland) September 30, 2018

During a press call, the New York Times asked Zuckerberg, “I’m just thinking back to your testimony in congress and one of the main points you made was if Facebook’s here to serve its users and if you can’t be responsible with user data then you don’t deserve to serve users. And I guess I’m just wondering if you still think you all are able to do that because it just — it seems like a pretty — another pretty big breach of user trust?” This is the exact question so many are wondering. If Facebook takes a hit from any more breaches or incidents, how will users, regulators, lawmakers, and competitors react?