Analysis: It was only a matter of time
Last week, Facebook revealed it had suffered a breach of 50 million users’ data. And now we hear 40 million more people needed their ID tokens resetting—because the vulnerability existed for more than a year.
But because people often use Facebook as an identity provider, the problem goes deeper than just the info Mister Zuckerberg knows about you. Hackers could have broken into other websites, using the stolen identities. Ouch.
Move fast and break things, as Facebook’s DevOps devotees must chant. In this week’s ID Blogwatch, we slow down and authenticate securely.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Animals of the Space Race…
In case you’ve been living under a rock, here’s what happened last week. Kyt Dotson and Robert Hof have Hackers exploit Facebook security flaw:
The engineering team at Facebook Inc. has discovered and fixed a security issue … that exploited a vulnerability in [its] “View As” feature. … The issue comes at a bad time for Facebook, which has had repeated problems with privacy and data protection issues.
Lawyers are already circling, too. A class action lawsuit was filed Friday.
As a result, more than 90 million people will have needed to log back into Facebook to reset their security credentials. … Users who have not reset their access tokens can also take a precautionary measure of fully logging [out] by visiting the “Security and Login” section in their settings.
And later, this was Josh Constine’s considered angle—Until data is misused, Facebook’s breach will be forgotten:
Privacy issues are abstract concepts for most people until they become security or ideological problems. … We’re growing accustomed to letting out a deep sigh with maybe some expletives, and moving on with our lives.
In pursuit of rapid growth … Facebook failed to protect its users. … But despite the potential that [it] could have let the attackers take over user accounts … and scrape their personal info, it’s unclear how much users really care.
[But] if Facebook discovers the hack was perpetrated by a foreign government to interfere with elections [or] by criminals to … steal people’s bank accounts [then] out will come the pitchforks and torches. … The breach could finish the job of destroying Facebook’s brand.
[If] the tokens were used to access other services like Airbnb or Spotify that rely on Facebook Login, [it] could steer potential partners away from building atop Facebook’s identity platform.
Ah yes, who’d trust Facebook as an identity/authentication provider? Brian Barrett, Lily Hay Newman, and Issie Lapowsky tag-team to say it exposes way more sites than Facebook:
The fallout may be far more widespread than initially indicated. … The flaw affects more than just Facebook. … It means that a hacker could have accessed any account that you log into using Facebook.
[This has] turned into the ultimate object lesson in the inherent tradeoffs between security and convenience. … Just like you want your passwords to be unique so compromising one doesn’t expose them all, account diversity is also vital online no matter how ironclad a particular sign-in scheme is.
Who will join the dots? Will Oremus will: [You’re fired—Ed.]
The breach would have allowed hackers to access not only your Facebook account, but your accounts on other sites where you used Facebook as your login.
Also … users affected by the breach who have Instagram or Oculus accounts linked to their Facebook account will have to un-link and re-link them.
Veridium CTO John Callahan says it was only a matter of time:
My first reaction: Are we surprised?
There have been several other stories recently about Facebook’s need for and exploitation of user data.
When data lives in a centralized silo, it is only a matter of time before it is compromised. Decentralization doesn’t solve everything, but it spreads out the attack surface. I’ve been on recent customer calls … where decentralization for the protection from data breaches is a primary requirement.
In a similar vein, here’s Professor Jonathan Zittrain:
Years ago Dan Geer warned of the dangers of software monocultures. Facebook is not only an app so central that people call it a platform — but it’s also a de facto basis for identity.
Users put more eggs in its basket than it appears. Dan was right.
But what the heck went wrong? Facebook veep Guy Rosen explainifies [PDF]:
The vulnerability itself was the result of … three distinct bugs and the interaction between them. … It was introduced … in July 2017.
The first bug was that, when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all. But in a very specific case, on certain types of posts that are encouraging people to post happy birthday greetings, it did show up.
The second bug was that this video uploader incorrectly used the single signon functionally: … It generated an access token that had the permissions of the Facebook mobile app. And that’s not the way the single sign-on functionality is intended to be used.
The third bug was that … the video uploader … generated the access token, not for you as the viewer, but for the user that you are looking up. … This is a complex interaction of multiple bugs that happened together.
We did see this attack being used at a fairly large scale, and that’s how we discovered this. … We saw a pattern of usage … and then when we dug in to understand that, we found [it was] driven by an attack.
OK, but how? Here’s Ryan Blatz, explaining Facebook’s “move fast and break things” mantra:
Technical debt, multiple systems using multiple old authentication routines getting slowly upgraded to new auth methods. And no one taking the time to fully understand the ramifications.
And honestly it seems like that was the right choice for the teams responsible. They all made tons of money, delivered features, and now years later a bug is found.
And ex-Microsoft president Steven Sinofsky says it similarly:
This is really about how the culture of security came about. Why do BigCo seem “slow”? [They] got big by executing and exist [in] execution mode, not crisis mode—getting stuff done.
Any crisis that arises is just another thing … to thwart execution. To be in scale/execute mode is to be under siege to prevent execution.
Microsoft went through a massive culture change when it came time to address security company wide. … What takes time is for company’s to feel they have permission and capability to essentially break what was built.
It gets worse. Here’s Hannah Kuchler—@hannahkuchler:
A [Facebook PR] spokesperson told me … Mark Zuckerberg and Sheryl Sandberg’s Facebook accounts were both among the … 50m that were compromised.
Facebook’s corporate secrets may have been exposed.
Meanwhile, Ray Marron Smelled this coming a mile away:
And that’s why the only thing you use Facebook authentication for is Facebook.
Animals of the Space Race—and how they prevented nuclear war
“History that deserves to be remembered”
You have been reading ID Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.