Unlike: an analysis of the Facebook breach

Author: Simon Fletcher

Date: 5th December 2018

Last week, Facebook announced that up to 50 million users had been left exposed by a security flaw which enabled attackers to gain control of people’s accounts.
It’s one of the first big data breaches since GDPR, and many have already calculated that Facebook could potentially be fined up to $1.63 billion.

The breach and associated financial penalty will no doubt go down in history, and now that the dust is beginning to settle, we’re already seeing lessons that organisations can learn.

1. How did it happen, and how can other organisations prevent this?
The breach occurred due to a combination of three bugs in Facebook’s systems being exploited.

Firstly, when some users used the View As feature – a privacy feature which lets users see what their own profile looks like to another person – it enabled them to upload a video, which shouldn’t have been a functionality of View As. Attackers then realised that if a video was uploaded, Facebook would generate a token allowing access to both their account and, finally, the account they were interested in.

The breach was discovered following a spike in traffic, which occurred when attackers started to exploit the vulnerability to leapfrog from one account to the next, gathering user information.

This was due to a complex combination of bugs, with each playing its own part in this breach. The third bug – which ultimately generated the incorrect token – is the one that did the real damage, but it still could have been exploited without the other two.

Due the subtlety of these bugs, they were unlikely to be detected with static code analysis – and even if they were detected using dynamic techniques, such as penetration testing, they would have appeared to be low-risk. However – most likely due to the complexity of the Facebook application – these particular issues got missed.

As well as carrying out regular testing, it’s vital for researchers to share knowledge about how low-risk bugs pose a threat by creating a chain of vulnerabilities that can be exploited, and ultimately wreak havoc on an organisation’s systems.

2. Are bug bounty programmes sufficient?
One of the big questions after the news of this breach surfaced was how this could have happened, given Facebook’s bug bounty programme and its policy of having no maximum pay-out – something that one would assume would be attractive to hackers.

Previously, Facebook has offered $40,000 to researchers who pointed out holes in its infrastructure. However, rather than aiming for this kind of reward, the attackers chose to target Facebook’s systems – raising important questions about the draw of selling details on the dark web, and whether existing bug bounty programs are enough to turn black hats into white hats.

3. How do companies maintain trust after a breach?
At first, it looked like Facebook was carrying out a model response to the data breach. It quickly logged affected users out of their accounts and promptly notified them and the authorities.

However, reports soon started spreading about multiple Facebook users whose actions were blocked when they attempted to create posts about the data breach. As well as this, a week on, Facebook still hasn’t confirmed details concerning the type of data exposed. So far, it looks like attackers were able to – and probably did – export the contents of entire profiles. If the profile of one user roughly contains about 600MB of data, this meant that the attackers could have exported up to 30,000TB of data. However, this hasn’t yet been confirmed – fuelling speculation amongst the media and worried users.

While this is a problem that is unique to large and complex software companies like Facebook, it still emphasises the importance of a transparent, quick and honest response to a data breach – and how a lack of clarity can make a bad situation much worse. Now, what’s left is for Facebook to begin re-building its battered reputation.

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

Unlike: an analysis of the Facebook breach

Author: Simon Fletcher

Date: 5th December 2018

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta