Facebook Finds ‘No Evidence’ Hackers Accessed Connected Third-Party Apps

Oct 3, 2018

When Facebook last weekend disclosed a massive data
breach—that compromised access tokens for more than 50 million
accounts—many feared that the stolen tokens could have been
used to access other third-party services, including Instagram and
Tinder, through Facebook login.

Good news is that Facebook found no evidence “so far” that
proves such claims.

In a blog post published Tuesday, Facebook security VP
Guy Rosen revealed that investigators “found no evidence” of
hackers accessing third-party apps with its “Login with Facebook”
feature.
^[2]

“We have now analyzed our logs for all third-party apps installed
or logged in during the attack we discovered last week. That
investigation has so far found no evidence that the attackers
accessed any apps using Facebook Login,” Rosen says.

This does not mean that the stolen access tokens that had
already been revoked by Facebook do not pose any threat to
thousands of third-party services using Facebook Login, as the
company explains it depends upon how websites validate their users
access tokens.

Many websites that do not use Facebook’s official SDKs to
regularly validate their users access tokens could still allow
attackers to access users’ accounts using revoked access
tokens.

In order to help such websites, Facebook is building a tool that
will enable developers to “manually identify the users of their
apps who may have been affected, so that they can log them
out.”

“Any developer using our official Facebook SDKs — and all those
that have regularly checked the validity of their users’ access
tokens – were automatically protected when we reset people’s access
tokens,” Rosen says.

While announcing its worst-ever data breach last week,
Facebook said unknown hackers had exploited a chain
of vulnerabilities in its code to steal 50 million accounts
tokens—digital keys that keep users logged in, so they don’t need
to re-enter their credentials every time they use the app.

The social media giant fixed the issue on Thursday night and
forcefully logged 90 million users out of their accounts as a
precaution by resetting their access tokens.

Even after Facebook announced that it found no evidence of hackers
accessing third-party services that use Facebook’s single sign-on
in the massive attack, some of those services are taking necessary
steps to safeguard their users.

For example, Uber has precautionarily expired all active
Facebook-based login sessions temporarily after the data breach,
while the company is still investigating the breach at its end.

The social media giant has yet to disclose the attackers
responsible for the massive attack, their origins, and the data
they may have stolen from the affected 50 million Facebook
users.

The Irish Data Protection Commission said ^[4]
that less than 10 percent of the 50 million users (which equals to
five million users) attacked in the breach are based in the
European Union (EU), where Facebook can be fined up to $1.63
billion under the nation’s General Data Protection Regulation
(GDPR) if it did not find doing enough to protect the security of
users.

^[1]^[3]

References

^{^}
50 million accounts
(thehackernews.com)
^{^}
published
(newsroom.fb.com)
^{^}
exploited a chain of
vulnerabilities (thehackernews.com)
^{^}
said
(twitter.com)

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

The Hacker News Headlines

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

Aug 18, 2023

The Hacker News Headlines

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Facebook Finds ‘No Evidence’ Hackers Accessed Connected Third-Party Apps

References

Related Post

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

You missed

Protected: Rotary VI EAST

Protected: BetterCyberCareer Group

Protected: Benin Club 1931 – Official

Protected: Whatsapp AI Automation Group