[BreachExchange] The Massive Facebook Hack Might Have Affected Users’ Other Apps and Websites, Too

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 1 20:20:35 EDT 2018


Hours after Facebook announced on Friday a huge data breach that affected
at least 50 million users, the news got worse.

In a conference call with reporters—Facebook’s second of the day, after the
first one left many questions unanswered—the company’s vice president of
product, Guy Rosen, said that the hackers could have also gained access to
users’ accounts on other apps and websites, beyond Facebook itself, via
Facebook Login. That’s the feature of Facebook that allows you to sign up
for, and log in to, all kinds of other online services using your Facebook
credentials. For users whose Facebook accounts were hacked, the company
confirmed, it’s possible that those third-party accounts could have been
breached as well.

The follow-up call was meant to clarify some of the details of the breach,
which is almost certainly the most significant in Facebook’s history. In
it, Rosen explained how three separate bugs combined to give hackers a path
to full control of users’ Facebook accounts. They gained access not by
stealing users’ passwords, but via a sort of digital key called an “access
token” that’s meant to let you into your account on another device (say,
your phone) automatically when you’re already logged in on another (say,
your laptop).

The good news is that the hackers don’t have anyone’s Facebook passwords—so
even users who were affected by the breach don’t necessarily have to change
those. The bad news: They could theoretically have used that same token to
gain access to some of users’ other online accounts, depending on how the
relevant apps and sites handle Facebook access tokens. It was not
immediately clear whether the hackers—who remain unknown—actually took
advantage of this, nor how easy it would have been for them to do so.

Any such connections should have been broken when Facebook reset the access
tokens of the affected users, beginning Thursday night. That would have
logged users out of those third-party apps and sites.

Facebook also clarified that users affected by the Facebook breach who had
Instagram or Oculus accounts linked to their Facebook account would need to
delink and relink those accounts. One piece of good news: Whatsapp was
apparently not affected. The story is still developing, and more details
are likely to emerge in the days to come.

But there’s already one conclusion we can make: There was a time when
Facebook harbored ambitions to be a sort of “universal login” for sites and
apps everywhere—like a driver’s license for the online world. That never
quite came to pass, but it did get pretty far along. This should be the
final answer to the question of whether it was ever a good idea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181001/982653a4/attachment.html>

More information about the BreachExchange mailing list