Facebook Hacked Involving 50 Million Victims, How Did That Happen?

Facebook’s servers had been broken into by hackers and consequently, data of 50 million users were stolen, the company disclosed on Friday.

According to the company, the social network constrained 90 million users, including 50 million direct victims and an additional 40 million who may have been affected, to log out then log back again. Because their “access tokens” were stolen by hackers which is a sort of digital key created by Facebook, for instance, it allows you to log in and remain the logged in while the Facebook mobile app asks to open another part of Facebook inside a browser (which will occur when you click a link).

Although an access token does not comprise password, it allows users to stay logged in, which means you can control the account as you wish.

Facebook’s vice president of product management - Guy Rosen - told reporters on a press call that a mechanism called single sign-on is used for parts of our site which can create a new access token. Its mechanism is: The single sign-on functionality used to generate an access token for the browser contains another part of Facebook which asks you to open when logging into the Facebook mobile app. It also means that on that window, you don’t need to login again.

Rosen said that hackers stole the tokens by making use of three different vulnerabilities chained together.

Since at least July 2017, the vulnerabilities related to Facebook’s “View As” tool have existed, which lets you view your own profile if you were somebody else (it is a privacy feature allowing you to check whether anybody who you don’t want them to see your posts can see them.)

It might be hard to imagine or visualize if you have never used such feature. To clarify, when you want to hide some posts from one of your friends, you can change privacy settings of your Facebook to allow such friends to see only some certain of your posts. To ensure the performance of your privacy settings, you can use the View as tool to view your profile as if you were the mentioned friend. Of course, you’re not actually that person and you don’t need to access to his account because it’s just a simulation. But if you were hackers, these bug chains would have allowed you to acquire your friend’s access token and then using that token to log into his account, you get full authority to use this account.

Rosen emphasized that the hackers could use the account in any way they want as if they were the real account owner.

About the first bug, Rosen explained that it makes the uploader of a video to be visible on View As pages on certain post that encourage people to make happy brithday greetings on Facebook. As usual, the uploader of the video should not have appeared. This video uploader is made to generate an access token for permission to log into the Facebook app by the second bug and this is not the right way that the feature works.

More about the final bug, Rosen added that when the video uploader was visible like part of the View As feature, it operated a new access token for the pretend-to-be user, not the official user, allowing such person to use the View As tool as the keys to access the official user’s account. Followed the above example, this would not only have let you view your friend’s profile by using the View As feature but also created an access token that allows you to log in and occupy the account of your friend.

Rosen noted that was a vulnerability made up by those three bugs’ combination which was explored by those hackers. To start the attack, they need to find this vulnerability as well as get an access token then switch such access token to other accounts, after then, they view other users to get more access tokens.

This attack was relatively sophisticated especially to take logins from 50 million users, he believed and said that this was a complicated interaction of many bugs occurred together.

Rosen claimed they discovered the attack and began investigating as the attack spread. Though, they could not understand clearly the way the accounts were misused.

Before the hackers implemented their plan, Facebook should have been able to find for the bug, said Ryan Stortz - a security researcher at Trail of Bits told Motherboard.

The security researcher told Motherboard in an online chat that Facebook has API filter as a whole that they stream all account changes (writes) through that should have seized this. He did not know what the defect was, but if Zuck's account was taken over, things were actually bad and they should have had a write filter to prevent that.

But this was not a commonplace bug to find, said a former Facebook security engineer.

Zac Morris - a former staff of Facebook’s security division during the period of 2012-2016, told Motherboard that for a while, the “View As” code had been all over so he was not amazed that it had some bugs, it’s kinda a hell of a find. It is pretty impressive that pivoting off that into full access tokens.

Morris explained that because he is one of those who were affected so he is mostly curious about the reason why and who was doing it. It is a little scary that they must have had some better way to monetize the $30,000 bug bounty report.

According to Rosen, if you have not been forced to log out, it means that you may not be affected and don’t need to change your password because the hackers did not steal it. Facebook claimed that it has temporarily turned off the View As function.