Facebook are facing a fresh new cyber security scandal in the wake of last weeks' hacking news.
Last Friday, Facebook forced 90million users to log out and back in, due to a security breach affecting 2.5% of their 2 billion-strong user-base. It appears that hackers have been exploiting three security vulnerabilities, and 50 million access tokens had been stolen.
Considering that these have been ongoing cyber security bloopers for a while, all the personal data, private messages, photos and videos of 90 million Facebook users had been completely accessible to hackers, from at least September.
Facebook red-flagged the breach after noticing a traffic spike on their servers. This prompted an investigation and led to a discovery of an ongoing cyber-attack from September 16th, aimed at stealing data from users, 'en masse'.
What were the security vulnerabilities?
To gain control and access, the hackers used 3 Facebook bugs:
- A video uploader where users wished their friends "Happy Birthday' when accessed on 'view as page'.
- A video uploader that generated a security key with permissions to log into Facebook mobile.
- A generated access token to the Facebook user being searched, giving attackers a chance to simulate the account of the viewer.
The current implications
Whilst Facebook are proclaiming 'so far, so good' on the misuse of accounts or information accessed, we all know the investigation only just started.
There is already news of one class action suit, claiming lack of 'proper security practices', and with privacy laws at the forefront of everyone's minds, there may well be more to follow.
The ongoing access, with or without passwords
A huge concern is the stolen secret access tokens, which allowed hackers to access accounts without passwords. The access tokens programmatically fetch information from each account using an API.
No need for passwords or multi-factor authentication to get into Facebook accounts, as they had the access tokens anyway.
This feeds into the next issue, regarding third-party apps that were using Facebook logins, a feature permitting you to sign up and log in to other online services, with your Facebook details.
As the secret access tokens let Hackers access accounts as the account holders themselves, it could also have allowed them to access other third-party applications utilizing the Facebook login.
The precedent from Cambridge Analytica
Facebook has faced harsh criticism on their lack of commitment to privacy of user data over the Cambridge Analytica scandal, where 87 million non-consenting Facebook users had their data sold to a data-mining firm.
Using a personality quiz called "thisisyourdigitallife,” Facebook's APIs let the app also collect a wide range of information about users and user's friends which allowed Cambridge Analytica to use in ad-targeting work, for alleged electoral advantage.
Cambridge Analytica 2.0?
Whilst we aren’t hearing any claims so far of massive malicious marketing scams of the size and scale of Cambridge Analytica, if the duration and widespread potential is as large as the headlines are claiming, the media and possibly legal outlook isn’t great for Facebook.
That's because the black-market potential of the hack, can't be overlooked. The eye-popping scalability of potential fraud and the threat of the third-party lack of accountability is again, something, that Facebook will have to deal with, head on and hopefully with more substantial success this time round.
Facebook have probably learned their lesson but will have to find a tougher approach to prevent large-scale security crises.