Customers of Facebook have filed a lawsuit in California seeking damages for the leak of personally identifiable information following the revelation that details of 50 million users were stolen following a security breach.
Facebook announced the breach on Friday. It said that its engineers discovered it on Tuesday 25 September.
It said the investigation is still in its early stages but according to technical details released by the company, the attackers were able to exploit a flaw in Facebook’s "View As" feature.
Ironically, View As was introduced as a feature to enable customers to take greater control of their privacy. It allowed users to see their account the way specific users would so as to gauge the effect of their privacy settings.
However, the attackers discovered that under certain circumstances, View As could be used to discover the authentication tokens for arbitrary users. According to security experts, this may not have been a sophisticated attack but rather a case of attackers trying their luck.
Authentication tokens are alphanumeric numbers which are generated by Facebook when a user logs in. A copy is stored in the user’s browser and another copy on Facebook’s servers – by comparing the two strings, users can be authenticated from one session to another without forcing them to login each time.
By stealing users’ authentication tokens, the attackers could perform actions on Facebook as that user. That would include reading and posting messages and even logging into other sites which allowed users to authenticate the use of their site through Facebook.
The attackers could also pivot through a user’s account to launch further View As requests on their friends to gain further authentication tokens.
Facebook said that it thinks the flaw was introduced to the site in July 2017 with the introduction of View As. However, it relied on flaws in two other modules including a video viewer and a feature that encouraged users to wish each other happy birthday.
Pedro Canahuati, VP of engineering, security and privacy at Facebook, explained what happened:
First: View As is a privacy feature that lets people see what their own profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.
Second: A new version of its video uploader (the interface that would be presented as a result of the first bug), introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.
Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.
Facebook said it has reset the access tokens for all the accounts affected, notified law enforcement and turned off the View As feature while it investigates.
The lawsuit against Facebook was filed within one working day of the breach announcement. Running to 30 pages in length, the complaint asks the court to recognise it as a class action suit representing anyone running one of the affected accounts. It is being led by two affected persons, Carla Echavarria who resides in California and Derrick Walker who lives in Virginia, both of whom were notified by Facebook that their accounts had been breached.
It alleges that Facebook’s security was lax and exposed personally identifiable information (PII) to the attackers. They are requesting financial relief and a fine against Facebook.
Facebook described the breach as the result of a sophisticated attack, requiring the attackers to coordinate three different modules on the site that interacted in unexpected ways.
However, there is some speculation online that an attacker could have identified the problem without any sophisticated analysis, and without understanding the interaction between the components, by grepping the source code for authentication tokens while playing with the features on the site.
Alan Woodward, visiting professor in the department of computer science at Surrey University, said attackers often "exercise functions and look to see what they will yield than than the intended data".
He told SCmagazineUK.com, "Someone here obviously tried several combinations and explored how much they could do with the tokens that were being generated. It’s the classic method of find a toehold and pivot from there to gain further access. If you rattle enough door handles in the right way, you’ll find one that’s opens just far enough for you to reach through and release the safety chain."
He questioned why the flaw was not discovered by Facebook. "What I don’t understand is how this wasn’t picked up before by either internal or external pentesters? It may have been that odd combination of three flaws together, but there must have been pointers in how the View As function operates to lead the hackers down that route. They didn’t just wildly guess. I think there’s still some interesting detail to emerge," he said.
Raj Samani, chief scientist at McAfee, told SC: "Beyond the headlines there will be questions about the source of the attack and ultimately the impact to users affected by the breach. The reality is that such platforms will be targeted due to the sheer amount of data they hold, and whilst the term sophisticated will be debated determining reasonable security measures will ultimately be a subjective opinion for each user."
Ian Thornton-Trump, security head at AMTrust Europe, told SC: "In terms of vulnerability chain, it’s true that a sophisticated actor (a very subjective term) managed to identify the three trees to cut down in the forest to get the prize. I see this as a bigger problem for Facebook in a heap of problems: the more data you hold, the more risk your organisation has. Right now Facebook has to be one of the highest risk organisations, because the only thing they have is personal data!"
He added: "This incident has given fuel to the regulatory fire for large social media based organisations. It also comes at a time when the sensitivity around elections and facilitating influence operations for hostile foreign powers."