The Facebook Hack Exposes an Internet-Wide Failure


THE FACEBOOK HACK EXPOSES AN INTERNET-WIDE FAILURE

AUTHOR: ISSIE LAPOWSKYISSIE LAPOWSKY 10.02.1810:12 AM

FACEBOOK HAS RECEIVED ample blame for the historic data breach that allowed hackers to not only take over the accounts of at least 50 million users but also access third-party websites those users logged into with Facebook. But what makes it so much worse is that fixing the issue is, in many ways, out of Facebook's hands.

Some of the web’s most popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack, according to a recent research paper out of the University of Illinois at Chicago. If they had taken more care with their implementation of Facebook's Single Sign-On feature—which lets you use your Facebook account to access other sites and services, rather than creating a unique password for every site—the impact could have largely been limited to Facebook. Instead, hackers could potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace. Even more staggering: You could be at risk even if you've never used Facebook to log into a third-party site.

Master Key

In a paper published in August, computer scientist Jason Polakis and his colleagues analyzed the many ways that hackers could abuse Facebook’s Single Sign-On tool. Facebook's not alone in offering the feature; Google has its own version of it, as do plenty of other so-called identity providers. But Facebook's, Polakis says, is the most widely implemented.

There are valid reasons third-party sites and services let users log in with Facebook. For starters, it’s easy, and saves users the hassle of creating yet another password. And, in theory at least, it makes logging in more secure. “Being able to set up a secure infrastructure, handle user input, have encrypted connections, and use up-to-date security mechanisms is pretty hard,” Polakis says. “So instead of relying on thousands of smaller websites, you rely on one that has better security practices.”

Of course, those benefits come with obvious associated risks. If someone compromises Single Sign-On—Facebook's, Google's, or anyone's—the possible impact is widely dispersed. The researchers tried to determine the full extent of the potential damage of a stolen account. What data could an attacker then scrape? How would users know they’d been hacked? And what, if anything, could victims do about it? At the time, the findings were unnerving. Now they seem eerily prescient.

You could be at risk even if you've never used Facebook to log into a third-party site.

On Friday, Facebook announced that hackers had leveraged three separate bugs to collect 50 million users’ so-called access tokens, which are the equivalent of digital keys to a Facebook account. With those tokens, hackers can take full control of users’ Facebook accounts, but because of Single Sign-On they can also access any other website that those 50 million users log into with Facebook. That's similar, though not identical, to the scenario Polakis and his colleagues studied. In that case, researchers were able to hijack cookies on a given user's device using a now-patched flaw in the iOS Facebook app. But, Polakis says, once an attacker has control of someone's Facebook account, their access to third parties would be largely the same.

After Facebook discovered the breach, it reset the access tokens for all 50 million affected users, and another 40 million who may have been impacted. "We're still doing the investigation [to see] if these attackers did get access to those third-party apps,” Facebook spokesperson Katy Dormer tells WIRED.

Limited Protections

There are ways that third-party companies can and should protect their users in case Single Sign-On is breached. The problem, Polakis says, is that few of them do.

For instance, websites that use Single Sign-On can either automatically log you in if you're already logged into Facebook elsewhere in your browser, or they can require you to enter your Facebook password every single time you log in. The second scenario is more secure, because hackers would need more than just the user’s access token to get into third-party sites. They’d need passwords, too.

But in a manual audit of 95 of the most popular web and mobile sites that offer Facebook Single Sign-On—from Uber and Airbnb to The New York Times and The Washington Post—the researchers found that only two required people to enter their Facebook passwords each time they logged in. Polakis describes it as a classic case of companies choosing usability over security. “If all websites had enabled that option, in this case, the attackers wouldn’t be able to access third parties, because they wouldn’t have your Facebook password,” he says.

Third-party sites could also let users view activity on their accounts. Facebook, for instance, has recommended that users look at “active sessions” as a way to spot any unauthorized access. But not every website offers such a digital trail. Nor do they all provide ways to clear active sessions. In fact, of those 95 sites Polakis and his coauthors studied, only 10 offer some way to purge sessions. This not only makes the perpetrators hard to catch, it can make it nearly impossible to cut them off.

Polakis and his team also analyzed a subset of the sites to see what happens when you change the user’s email address or password on those third-party sites. They found that out of 29 sites, 15 allow attackers to change an account’s email without entering a password; of those, six allow the password to be set without entering the old password. The rest require the attacker to conduct a formal password reset. But if the attacker has already reset the email address on that site, they're just routing the password reset email to themselves.

Facebook's Dormer says the company advises developers on “best practices,” and is currently “preparing additional recommendations for all developers responding to this incident and to protect people going forward.”

But perhaps the most staggering finding in the paper is that people don't necessarily need to have logged into third-party sites with Facebook to be exposed. Say, for example, you logged onto a website with the same email address that's associated with your Facebook account. If an attacker tries to log onto that same website using Facebook's Single Sign-On, the researchers found that some sites—including fitness app Strava—will associate the two accounts.

"If you have a Facebook account, even if you’ve never used it to log into any other website...an attacker could still use the Facebook token and get access to a user’s account on third-party websites,” Polakis says.

Data Overload

So what data could the researchers collect by penetrating these third-parties sites? In controlled experiments, Polakis and his colleagues were able to track a victim's trips in real-time on Uber. In one case, they tipped the driver from the attacker's device after the trip was complete. On Tinder, they were able to read users' private messages, even though the messages appeared as unread to the affected account. From Expedia, they pilfered passport numbers and TSA information.

All that, just from an experiment with a limited number of compromised accounts and third-party sites. The attack Facebook disclosed, Polakis says, "is insanely higher scale," affecting tens of millions of users across thousands of sites.

At the time, the findings were unnerving. Now, they seem eerily prescient.

WIRED contacted several developers for comment, including Strava, Tinder, Expedia, and Airbnb. Uber, for its part, said it has revoked the tokens for accounts that the company believes could be at risk. According to spokesperson Melanie Ensign, that means anyone who logged onto Uber with a new device, though it's unclear in what time frame. "While we haven't seen evidence this exploit was used on our platform, our security teams and systems are constantly looking for potential issues and will notify users when we detect suspicious activity on their account," Ensign says.

For now, Facebook is looking into whether the access token reset is enough to prevent the attackers from accessing these third-parties going forward. (Polakis says that based on his research, it isn't.) The extent of the damage that was already done over the 14 months the vulnerability was active is still unknown. Facebook isn't yet sharing its specific recommendations for developers, but Polakis has a suggestion: Single Sign-Off. It would give users a way to instantaneously revoke access from every website connected to their Facebook accounts, and invalidate an attacker's sessions.

Facebook certainly deserves scrutiny. It has pushed its way into every corner of the internet for more than a decade, often without considering the ramifications of its ubiquity. But what's also clear is that, in the interest of making it easier for people to spend more time swiping and clicking through their sites and apps, other web giants let their users down too. And now everyone will pay the price.

Additional reporting by Louise Matsakis.

https://www.wired.com/story/facebook-hack-single-sign-on-data-exposed/

Comments

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more