View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 1, 2018

The Facebook Hack: Three Days On, What We Know

"Very creative" breach involving chain of three distinctive bugs

By CBR Staff Writer

With the dust beginning to settle on a colossal security breach at Facebook, disclosed Friday and affecting up to 90 million, including the company’s CEO Mark Zuckerberg and COO Sheryl Sandberg’s accounts, here’s what we know thus far.

Facebook Hack: “The Interaction of Three Distinct Bugs”

The breach was the result of the interaction of three distinct bugs, leading to an attack that was then rapidly automated to compromise the number of accounts affected. It was described by one leading Facebook bug finder as “very creative”.

The three bugs were as follows:

Bug 1: In the “composer” that enables people to wish their friends happy birthday, the “View As” feature incorrectly provided the opportunity to post a video.

Bug 2: The interface presented as a result of this initial bug then incorrectly generated an access token that had the permissions of the Facebook mobile app.

Bug 3: When the video uploader appeared as part of “View As”, it generated the access token not for the viewer, but for the user that they were looking up.

Facebook Hack Identified After User Activity “Spike” 

Facebook identified the breach after spotting  a “spike” in user activity on Tuesday. (Having identified the initial chain of bugs, the as-yet unknown hackers were using the site’s API to automate account breaches.)

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Facebook’s VP Engineering, Security and Privacy, Pedro Canahuati, said: “It was the combination of these three bugs that became a vulnerability… That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.”

He added: “The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”

Speculation About The Hackers

David Atkinson, Founder of Senseon and a former Ministry of Defence cybersecurity expert, told Computer Business Review:Facebook relies on extensive bug testing and white hat hackers to find vulnerabilities within their applications, but in this case the community did not identify these vulnerabilities. Yet the entry point of the attack has been publicly available for some time.”

See also: Facebook: We Removed One Billion Fake Accounts in Six Months

He added: “What I would conclude from this is that the attack was carried out by an advanced group or likely nation state, who have the resources to constantly sweep massive and therefore attractive targets, like Facebook to spot vulnerabilities. With the mid-term elections around the corner, it is not a huge leap to think that the motivation behind this attack could be political.”

facebook hack

Over the weekend, however, a prolific Taiwanese hacker abandoned plans to livestream deleting Mark Zuckerberg’s Facebook account. Chang Chi-yuan had announced in a Facebook post on Wednesday that he would target the Facebook CEO.

His threat was first spotted by Bloomberg. He did not provide further details about how he would achieve his aim. Two days later the vulnerability was disclosed. He has since deleted his account.

Facebook Bug Bounty Programme

Last year Facebook received more than 12,000 vulnerability reports from security researchers, of which approximately 400 ended up being considered valid bugs: a 3.33 percent hit rate for people actively trying to find issues in its code base.

The company has run a popular bug bounty programme since 2011 – paying out over $6 million for vulnerabilities thus far. Just a week earlier, on September 17, the company broadened its programme, announcing that it would now also accept reports about vulnerabilities in third-party apps and services that connect to Facebook user accounts.

Getting Sued… 

The company is meanwhile now facing a class-action complaint filed on behalf of California resident, Carla Echavarria, and Virginia resident, Derick Walker.

Both allege that Facebook’s lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach. The lawsuit was filed today in US District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California’s Customer Records Act.

The UK’s ICO said: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU