On Friday, Facebook revealed that hackers broke into the company’s servers and potentially stole the data of up to 50 million people.
The social network forced 90 million people—around 50 million victims plus an additional 40 million that may have been affected, according to the company—to log out and log back in again. That’s because the hackers stole their “access tokens,” a sort of digital key that Facebook creates when you log in and allows you to stay logged in when the Facebook mobile app wants to open another part of Facebook inside a browser, for example (this might occur when you click a link.)
An access token doesn’t include a user’s password, but since it allows a user to stay logged in having an access token means you can completely control the account.
“Parts of our site use a mechanism called single sign-on that creates a new access token,” Guy Rosen, Facebook’s vice president of product management, told reporters on a press call. “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”
The hackers took advantage of three distinct vulnerabilities chained together in order to steal the tokens, Rosen said.
The vulnerabilities have existed since at least July 2017 and were related to Facebook’s “View As” tool, which allows you to view your own profile as if you were someone else (this is a privacy feature—it allows, for example, you to check whether your ex, or grandma, or anyone who you want to hide things from can see certain posts on your page.)
If you haven’t used the feature before, it can be hard to visualize or imagine. Basically, let’s say you wanted to hide some wall posts from your nemesis John. You can change your Facebook privacy settings to allow John to only see certain posts. Then, to check that the changes to your privacy settings actually worked, you can use the View As feature to look at your profile as if you were John. You’re not actually John, of course, and you don’t have access to his account—it’s just a simulation. But these chains of bugs would have allowed you, if you were a hacker, to acquire John’s access token, and then log into his account using that token, therefore taking full control of his account.
“It’s important to say: the attackers could use the account as if they were the account holder,” Rosen said.
The first bug, Rosen explained, caused a video uploader to show up on View As pages “on certain kinds of posts encouraging people to post happy birthday greetings.” Normally, the video uploader should not have showed up. The second bug caused this video uploader to generate an access token that had permission to log into the Facebook mobile app, which is not how this feature “is intended to be used,” according to Rosen.
The final bug, Rosen explained, was that when the video uploader showed up as part of the View As feature, it generated a new access token not for the user, but for the person who they were pretending to be—essentially giving the person using the View As feature the keys to access the account of the person they were simulating. In the example we gave above, this would not only have allowed you to look at John’s profile using the View As John feature, but it also would have generated an access token allowing you to login to and take over John’s account.
“It was the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers,” Rosen said. “Those attackers, in order to run the attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot that access token to other accounts and then look up other users in order to get further access tokens.”
Rosen said he believed that this was a relatively sophisticated attack, especially to get up to 50 million different logins: “This is a complex interaction of multiple bugs that happened together,” he said.
“We did see this attack being used at a fairly large scale, which is how we discovered it and began investigating and found the attack that was happening,” Rosen said. “We don’t know exactly how accounts were misused so far.”
Ryan Stortz, a security researcher at Trail of Bits, told Motherboard that Facebook should’ve had the ability to find this bug before the hackers did.
“Facebook has a whole API filter that they stream all account changes (writes) through that should have caught this,” Stortz told Motherboard in an online chat. “I don’t know what the flaw was, but if they took over Zuck’s account, that’s bad and they should have had a write filter to prevent that.”
But a former Facebook security engineer said this was not a trivial bug to find.
“It sounds like a hell of a find, the ‘View As’ code has been around for a while so I’m not surprised it had some bugs,” Zac Morris, who worked in Facebook’s security division from 2012 until 2016, told Motherboard. “But pivoting off that into full access tokens is pretty impressive.”
Morris added that “as someone who was affected I’m mostly interested in who was doing it and why, [because] that’s a $30,000 bug bounty report, so they must’ve had some better way to monetize it which is a little scary.”
Rosen said that the hackers did not steal passwords, so unless you’ve already been forced to log out, you should not be affected and users don’t need to change their passwords. Facebook said it has temporarily disabled the View As feature.