Facebook forced a reset of more than 50 million user accounts on Thursday and would force another 40 million account resets in the coming days, citing a major breach of the site’s security that allowed unknown attackers to take over people’s accounts.
The company said its own engineering team discovered the flaw, which involved the site’s “View As” feature, which allows users to see how security settings affect that information about them is publicly available. Facebook said it is working with law enforcement to investigate the problem. The breach would be the largest incident of account compromise in the company’s history and comes as Facebook is continuing to respond to the misuse of its platform in the run-up to the 2016 U.S. presidential election.
In a blog post, Facebook Vice President of Product Management Guy Rosen said that the company is disabling the “View As” feature while it conducts a “thorough security review.” According to Rosen, the flaw allowed attackers to use the video upload feature to capture access tokens which could then be used to hijack the victim’s Facebook session. Access tokens allow Facebook users to log into the company’s application automatically, without having to re-enter their user name and password every time they leave the site.
While not providing specific information on how its site was compromised or who was behind it, Rosen said the attack exploited “the complex interaction of multiple issues in our code” and “stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.'” Facebook isn’t saying whether the accounts it is resetting were misused or whether Facebook data was stolen. It also can’t say who was behind the attacks. “We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change,” Rosen wrote. It was unclear from Facebook’s statement how attackers were able to pivot from an initial victim to obtain access tokens for other Facebook users connected to the victim.
The company said users who have to log back in will receive an explanation, though a number of Facebook users contacted by Security Ledger said there was no indication from the company about why they had to log back into their account after having done so.
[You might also like: For Facebook’s Stamos, conflicts over breaches and disclosure a theme]
The breach may be an inevitable byproduct of Facebook’s massive platform, said Gary McGraw of the firm Synopsys.* “Facebook does care about software security. But when you have such a complicated system that your features like View As can be turned on their head into an exploit, what you find there is a really tricky security engineering issue at the design level,” he said. “You have two features that, I think, they felt like were designed pretty well that, together, constituted a design flaw.”
McGraw said that such occurrences are becoming more common as the rise of agile development and “dev ops” has emphasized rapid and iterative development, resulting in less time and resources being spent at the design and software architecture phase.
Account takeover attacks are a growing problem as malicious actors take advantage of leaked account credentials and other personally identifying information that can allow them to pry their way into social media, email and bank accounts. Often account takeover attempts follow directly on the heels of breaches. In a report released in May, the company Distil Networks found that account takeover (or ATO) attacks like “credential stuffing” jumped by 300% in the days following a breach.