BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

How Facebook Was Hacked And Why It's A Disaster For Internet Security

Following
This article is more than 5 years old.

Facebook dropped a bombshell on Friday when it revealed an unknown hacker had breached the site, compromising the accounts of 50 million users. The company's security team found three bugs were used in the attacks, saying they were used in combination to successfully break into Facebook accounts.

Forbes spoke with professional web app hacker and cybersecurity researcher Thomas Shadwell, who pieced together a likely hypothesis on how the mystery hacker or hackers carried out what’s believed to be the most significant ever attack to have hit the social media beast.

The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you're holding them you can use them, there's no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.

To get those keys, the hackers abused a feature in Facebook called “View As.” It allows any user to see what another can access on their profile. For instance, if you’ve blocked your dad from looking at your photos, you can check it’s working by effectively impersonating your father and viewing your profile.

“It looks like when Facebook built the View As feature, they did this by making it a modification of how Facebook would work if actually viewed by that other user,” said Shadwell. “Which of course means if there's a mistake they might end up sending the impersonated user's credentials to the user of the 'View As' feature.”

This is where things get a bit weirder. If a user, via View As, impersonated a friend who themselves had a friend who had a birthday, the feature would also show a box prompting them to post a “happy birthday” video. Thanks to an error made by Facebook in July 2017, the video provided the user with one of those precious tokens, Shadwell said. More specifically, the video player generated and sent the user a token, one that would log them into the Facebook mobile app as if they were the person they were impersonating via View As. From there the user (in this case a malicious hacker) would have total access over that other person’s account.

The attackers wouldn’t have found it difficult to spin up the basic premise of that hack into something massive, affecting millions of accounts. “As for scale, well, there's not really any interaction of the target required, so it's not particularly difficult to automate,” Shadwell added.

Facebook hasn’t said just how many accounts were hacked, where victims were based or who was behind the attack. According to Shadwell, it would’ve taken significant skill to carry it out. “It's very technically impressive to pull this off.”

A internet catastrophe

What’s most worrying of all, though, is what the hack has proven: that a company with the resources and power of Facebook can be robbed of keys that allow access to millions of accounts across the web. Given the keys allowed the hacker to take over any account using a Facebook login, the real number of affected individuals is likely far higher than 50 million. A vast number of people have trusted Facebook would be able to keep their login information safe, just as they do with Google and other tech providers. Should Facebook's rivals be trusted with people's online security too? This week's breach would suggest perhaps not.

In its annus horribilis, Facebook has suffered an attack that not only gives anyone considering leaving the social network another reason to jump ship, but that's also irrevocably tarnished the trust between internet denizens and the companies they rely on to keep their online lives private.

As one cryptography expert put it on Twitter, this was a genuine internet catastrophe.

Follow me on TwitterCheck out my websiteSend me a secure tip