Facebook Security Meltdown Exposes Way More Sites Than Facebook

On Friday, Facebook revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million. What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.

That’s a lot of them. You can read a fuller accounting of the hack here, but essentially it combines three bugs relating to Facebook’s “View As” feature, which lets users see what their profiles look like when other people view them. A video upload tool—intended to enable “Happy Birthday” videos—would erroneously appear on the “View As” page, and provide the access token of whomever the hacker searched for.

Facebook initially responded by logging out both the 50 million people it knows were affected by the attack, and an additional 40 million who were looked up with the “View As” tool in the last year. It also hit pause on the “View As” feature. But the second revelation Friday indicates that the fallout may be far more widespread than initially indicated.

Beyond the impact on Facebook accounts themselves, the company confirmed that breach impacted Facebook’s implementation of Single Sign-On, the practice that lets you use one account to log into others. The idea is to use a trusted service—like Facebook Google, Twitter, and so on—to log into sites and services across the web, rather than create a unique profile for each one. That saves time, and ensures you’re logging in through an entity you trust. In this case, it also appears to have potentially made Facebook’s breach an internet-wide calamity, at least for those impacted.

It’s unclear how long those third-party sites will accept the stolen access tokens, or how difficult it would be for an attacker to use an access token to get into a third-party site.

Facebook separately says it has invalidated data access for third-party apps for the affected individuals, meaning if you’re one of the 90 million people potentially affected, you won’t be able to, say, share an image from Instagram over to Facebook without changing your password.

Meanwhile, Facebook has still not confirmed whether any third-party accounts were actually compromised, and still has not detailed exactly what type of data hackers could have gotten away with. (That they could gain full access to Facebook accounts gives at least a baseline: Anything and everything on your profile would have been exposed.) Facebook also declined to say exactly how long attackers took advantage of the vulnerability, which was introduced in July 2017. Fourteen months is a very large window to do potential damage.

As for how widespread the attack was, Rosen said the targeting appeared fairly broad. But New York Timesreporter Mike Isaac noted that Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg had their accounts compromised as part of the attack.

Facebook already faces legal challenges as a result of the disclosure; Facebook users Carla Echavarrai and Derrick Walker have filed a class action suit in California “It is shocking that after all the publicity surrounding Facebook’s handling of personal information in the wake of Cambridge Analytica and its promises to do better by its users that Facebook has yet again failed to protect consumers’ information from hackers,” said their attorney, John Yanchunis, in a statement.

The debacle also underscores broader concerns about Single Sign-On, which Friday turned into the ultimate object lesson in the inherent tradeoffs between security and convenience. “Single Sign-on schemes are great in the sense that the federal reserve cash vault in Atlanta is dramatically more secure than the safe at a local credit union,” says Kenn White, director of the Open Crypto Audit Project. “But the downside is if a Single Sign-on gets breached you’re hosed.”

Sticking with one more secure sign-in does make sense, especially for use on sites that don’t have the resources or inclination to invest heavily in security development. But just like you want your passwords to be unique so compromising one doesn’t expose them all, account diversity is also vital online no matter how ironclad a particular sign-in scheme is. “You don’t want a situation where there’s one breach and your entire online identity is gone,” White says.

It remains to be seen whether that’s the case for 50 million—or 90 million—Facebook users. “We’re just starting to work through the full scope of what we’ve seen here,” said Rosen. For those affected, it’s an excruciating wait.

Additional reporting by Issie Lapowsky.

source: wired.com

أعلنت شركة فيسبوك للتواصل الاجتماعي، السبت، أن اختراقًا أمنيًا تعرض له موقعها الإلكتروني، الثلاثاء الماضي، قد يطال تطبيقات أخرى مرتبطة به.

ونقلت “أسوشيتيد برس”، عن “غي روزن”، نائب رئيس إدارة المنتجات في الشركة، أن المهاجمين، الذين أمكنهم الوصول إلى بيانات مشتركين في فيسبوك، يمكنهم اختراق التطبيقات الأخرى المرتبطة به، وخصوصًا تطبيق “إنستغرام”.

بدوره أفاد موقع “بيزنس إنسايدر” الإخباري أن تطبيقات وخدمات “تندر” (للتعارف)، و”آير بي أند بي” (لتأجير شقق)، و”سبوتيفاي” (لمشاركة المقاطع الموسيقية)، هي من بين الأكثر ارتباطًا ببيانات الدخول إلى موقع فيسبوك.

وأمس الجمعة، أعلنت الشركة الأمريكية العملاقة عن تعرض حواسيبها لهجوم إلكتروني، أسفر عن اختراق أمني لبيانات نحو 50 مليون حساب.

وأوضحت، في بيان، أنّ المهاجمين استغلوا ثغرة في خاصية ” View as” (عرض باسم)، التي تسمح للمشتركين برؤية كيف يظهر ملفهم الشخصي للآخرين.

وأضاف البيان أنّ تلك الثغرة “سمحت للمهاجمين بسرقة رموز الوصول إلى فيسبوك، والتي قد تساعدهم في الاستيلاء على حسابات الأشخاص”، مشيرة أنها أبلغت السلطات للتحقيق في القضية.

وتعادل “رموز الوصول” المفاتيح الرقمية التي تحافظ على بقاء المستخدمين متصلين بالفيسبوك، دون الحاجة إلى إدخال أرقامهم السرية في كل مرة يدخلون فيها إلى الموقع.

يشار أن السلطات المعنية بالتحقيق لم تعلن حتى الساعة 10:17 ت.غ من صباح اليوم الجمعة، عن إحراز أي تقدم في تحديد هوية من يقفون وراء الهجوم.