Last week, Facebook announced that up to 50 million users had been left exposed by a security flaw which enabled attackers to gain control of people’s accounts.
It’s one of the first big data breaches since GDPR, and many have already calculated that Facebook could potentially be fined up to $1.63 billion.
The breach and associated financial penalty will no doubt go down in history, and now that the dust is beginning to settle, we’re already seeing lessons that organisations can learn.
1. How did it happen, and how can other organisations prevent this?
The breach occurred due to a combination of three bugs in Facebook’s systems being exploited.
Firstly, when some users used the View As feature – a privacy feature which lets users see what their own profile looks like to another person – it enabled them to upload a video, which shouldn’t have been a functionality of View As. Attackers then realised that if a video was uploaded, Facebook would generate a token allowing access to both their account and, finally, the account they were interested in.
The breach was discovered following a spike in traffic, which occurred when attackers started to exploit the vulnerability to leapfrog from one account to the next, gathering user information.
This was due to a complex combination of bugs, with each playing its own part in this breach. The third bug – which ultimately generated the incorrect token – is the one that did the real damage, but it still could have been exploited without the other two.
Due the subtlety of these bugs, they were unlikely to be detected with static code analysis – and even if they were detected using dynamic techniques, such as penetration testing, they would have appeared to be low-risk. However – most likely due to the complexity of the Facebook application – these particular issues got missed.
As well as carrying out regular testing, it’s vital for researchers to share knowledge about how low-risk bugs pose a threat by creating a chain of vulnerabilities that can be exploited, and ultimately wreak havoc on an organisation’s systems.
2. Are bug bounty programmes sufficient?
One of the big questions after the news of this breach surfaced was how this could have happened, given Facebook’s bug bounty programme and its policy of having no maximum pay-out – something that one would assume would be attractive to hackers.
Previously, Facebook has offered $40,000 to researchers who pointed out holes in its infrastructure. However, rather than aiming for this kind of reward, the attackers chose to target Facebook’s systems – raising important questions about the draw of selling details on the dark web, and whether existing bug bounty programs are enough to turn black hats into white hats.
3. How do companies maintain trust after a breach?
At first, it looked like Facebook was carrying out a model response to the data breach. It quickly logged affected users out of their accounts and promptly notified them and the authorities.
However, reports soon started spreading about multiple Facebook users whose actions were blocked when they attempted to create posts about the data breach. As well as this, a week on, Facebook still hasn’t confirmed details concerning the type of data exposed. So far, it looks like attackers were able to – and probably did – export the contents of entire profiles. If the profile of one user roughly contains about 600MB of data, this meant that the attackers could have exported up to 30,000TB of data. However, this hasn’t yet been confirmed – fuelling speculation amongst the media and worried users.
While this is a problem that is unique to large and complex software companies like Facebook, it still emphasises the importance of a transparent, quick and honest response to a data breach – and how a lack of clarity can make a bad situation much worse. Now, what’s left is for Facebook to begin re-building its battered reputation.