Facebook CEO Mark Zuckerberg speaks during the F8 Facebook Developers conference on May 1, 2018 in San Jose, California. PHOTO: GETTY

Facebook hacked: Is your account safe?

It seems security engineers trivialised the severity of this bug, which has existed since the feature was introduced.

Yasir Zargar October 01, 2018
Security is an illusion, which is a truth increasingly relevant as social networking giant Facebook unearths a security breach affecting millions of users. A security flaw ended up exposing the private information of 50 million users, leaving the organisation perplexed.

If you are a user and are not aware of this security breach – reported by Facebook itself – then you definitely need to learn about it. The vulnerability has existed since last year, and is the largest till date. Facebook’s engineers and security experts revealed that attackers exploited one of its features and then dumped the data of millions of users. It seems the security engineers trivialised the severity of this bug, which has existed since the feature was made available to users.

This is also the first time Facebook admitted to an unauthorised breach by unknown attackers. Last time, the data breach was caused by third party app Cambridge Analytica, which Facebook did not consider an actual breach, since the data was dumped through an online app requiring a Facebook login to participate in a quiz. This was not too long ago, and 70 million accounts were compromised as a result.

How did Facebook get to know about the hack?

Over the past few days, Facebook noticed massive unwanted traffic in its ‘view as’ feature, forcing company engineers and security experts to scrutinise its backend code. Engineers found a security flaw in this feature, pushing them to disable it. By exploiting the flaw, an attacker was able to intrude into a Facebook account, read its personal messages, post unwanted content, dump credit card credentials, and so on.

What’s this ‘view as’ feature?

This feature enables users to preview what their profiles look like when other users view their profiles. Simply put, it lets Facebook users preview their own accounts.

Exploiting the ‘view as’ feature

According to Facebook, the hackers exploited three bugs in this feature, using its weaknesses to breach the privacy of accounts. Through this vulnerability, they were able to generate keys, access and dump tokens, and sign into user profiles without a password. This allowed them to read your private messages, post anything on your timeline, upload a picture or a video, and message any of your friends.

Access tokens: What are these digital keys?

You may have noticed that when you log into your Facebook account once, a security key (access token) is generated, which helps the app to login to the user’s account next time without a password. We can say these access tokens are like digital tokens that keep you logged into your Facebook account so you do not have to enter your password the next time you open the app on your mobile. The attackers hijacked these access tokens, which helped them log into any of the millions of Facebook accounts.

The attackers then dumped the digital key, which was used for authentication, by performing an attack on the ‘view as’ feature. The weakness of this feature has left the engineering and security team baffled, as once again the privacy of millions has been breached. After a violation of this scale, people will no longer be able to trust Facebook as their privacy partner.

Severity of the bug

The severity of this bug was that the attackers could continue using your Facebook account pretending to be the real account holders, as they had your access token to provide them actual authentication to your account.

Facebook’s response

Facebook has notified law enforcement authorities about the breach, and has also reset the access tokens of around 90 million users as a precautionary measure. More than 90 million users were pushed to log out from their devices, while the ‘view as’ feature behind the havoc was also disabled.

What should you do if you were pushed to login again?

If you were pushed to login again, that means your account was compromised. Simply put, you can log out or initiate a security audit on your device and account. Logging out from your account will expire old sessions.

You have to scrutinise your account by clicking on the ‘Settings’ page and then on the ‘Facebook security and login’ page. There you will see a hyperlinked text saying ‘Where you’re logged in’. Simply follow the instructions and analyse all devices from which you had logged into your account previously. You can see devices as well as their current location, and in case you see any unknown locations or devices, you can simply click on the remove button.

Moreover, you can uninstall the Facebook app and re-install it later, for that will ensure your old authentication tokens are lost. You can also try deactivating your account for some time, as reactivating it will also grant new access tokens, while old tokens will automatically expire.

Enabling two-factor authentication

The best way to secure your account is to enable the two-factor authentication system. Two-factor authentication involves the use of a one-time password as you try to log into your account. Whenever you try to login, you have to enter a code which is sent to your number or email. More importantly, this feature protects your account from any attackers, even if they have your password.

As Facebook struggles in this day and age of frequent data breaches and violations of privacy, trying our personal best to protect our information is the very least we can do.
Yasir Zargar The writer is a web security analyst from Srinagar and has co-founded Shafara Creatives (@shafaracreative). He tweets at @islambaduk ‏(https://twitter.com/islambaduk)
The views expressed by the writer and the reader comments do not necassarily reflect the views and policies of the Express Tribune.


Replying to X

Comments are moderated and generally will be posted if they are on-topic and not abusive.

For more information, please see our Comments FAQ