- Joined
- Oct 28, 2017
https://www.forbes.com/sites/thomas...-disaster-for-internet-security/#1abf7af72033
View attachment 201468
ebook dropped a bombshell on Friday when it revealed an unknown hacker had breached the site, compromising the accounts of 50 million users. The company's security team found three bugs were used in the attacks, saying they were used in combination to successfully break into Facebook accounts.
Forbes spoke with professional web app hacker and cybersecurity researcher Thomas Shadwell, who pieced together a likely hypothesis on how the mystery hacker or hackers carried out what’s believed to be the most significant ever attack to have hit the social media beast.
The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you're holding them you can use them, there's no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.
To get those keys, the hackers abused a feature in Facebook called “View As.” It allows any user to see what another can access on their profile. For instance, if you’ve blocked your dad from looking at your photos, you can check it’s working by effectively impersonating your father and viewing your profile.
“It looks like when Facebook built the View As feature, they did this by making it a modification of how Facebook would work if actually viewed by that other user,” said Shadwell. “Which of course means if there's a mistake they might end up sending the impersonated user's credentials to the user of the 'View As' feature.”
This is where things get a bit weirder. If a user, via View As, impersonated a friend who themselves had a friend who had a birthday, the feature would also show a box prompting them to post a “happy birthday” video. Thanks to an error made by Facebook in July 2017, the video provided the user with one of those precious tokens, Shadwell said. More specifically, the video player generated and sent the user a token, one that would log them into the Facebook mobile app as if they were the person they were impersonating via View As. From there the user (in this case a malicious hacker) would have total access over that other person’s account.
The attackers wouldn’t have found it difficult to spin up the basic premise of that hack into something massive, affecting millions of accounts. “As for scale, well, there's not really any interaction of the target required, so it's not particularly difficult to automate,” Shadwell added.
Facebook hasn’t said just how many accounts were hacked, where victims were based or who was behind the attack. According to Shadwell, it would’ve taken significant skill to carry it out. “It's very technically impressive to pull this off.”
A internet catastrophe
What’s most worrying of all, though, is what the hack has proven: that a company with the resources and power of Facebook can be robbed of keys that allow access to
View attachment 201468
ebook dropped a bombshell on Friday when it revealed an unknown hacker had breached the site, compromising the accounts of 50 million users. The company's security team found three bugs were used in the attacks, saying they were used in combination to successfully break into Facebook accounts.
Forbes spoke with professional web app hacker and cybersecurity researcher Thomas Shadwell, who pieced together a likely hypothesis on how the mystery hacker or hackers carried out what’s believed to be the most significant ever attack to have hit the social media beast.
The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you're holding them you can use them, there's no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.
To get those keys, the hackers abused a feature in Facebook called “View As.” It allows any user to see what another can access on their profile. For instance, if you’ve blocked your dad from looking at your photos, you can check it’s working by effectively impersonating your father and viewing your profile.
“It looks like when Facebook built the View As feature, they did this by making it a modification of how Facebook would work if actually viewed by that other user,” said Shadwell. “Which of course means if there's a mistake they might end up sending the impersonated user's credentials to the user of the 'View As' feature.”
This is where things get a bit weirder. If a user, via View As, impersonated a friend who themselves had a friend who had a birthday, the feature would also show a box prompting them to post a “happy birthday” video. Thanks to an error made by Facebook in July 2017, the video provided the user with one of those precious tokens, Shadwell said. More specifically, the video player generated and sent the user a token, one that would log them into the Facebook mobile app as if they were the person they were impersonating via View As. From there the user (in this case a malicious hacker) would have total access over that other person’s account.
The attackers wouldn’t have found it difficult to spin up the basic premise of that hack into something massive, affecting millions of accounts. “As for scale, well, there's not really any interaction of the target required, so it's not particularly difficult to automate,” Shadwell added.
Facebook hasn’t said just how many accounts were hacked, where victims were based or who was behind the attack. According to Shadwell, it would’ve taken significant skill to carry it out. “It's very technically impressive to pull this off.”
A internet catastrophe
What’s most worrying of all, though, is what the hack has proven: that a company with the resources and power of Facebook can be robbed of keys that allow access to