Like other security enthusiasts, we have been avidly following the latest Facebook attack where access tokens for 30 million users were stolen. Large-scale breaches from hacking naturally attract significant attention, despite them being depressingly common. Aside from all the political and economic questions that are prompted when a data breach has the spotlight, the technical aspects are of central interest to security enthusiasts: what mistakes were made and cleverly exploited to successfully hack the organization? Here we explore and explain the known technical details of the hack that were promptly released by Facebook. We remark that detailed disclosures of this type demonstrate maturity and can be part of a strong cybersecurity strategy: the more companies share about their challenges and mistakes for others to avoid, the greater the payoff to everyone’s security through the proverbial golden rule.
What were the mistakes
Let’s now dig into the mistakes that were made in Facebook’s case, and learn how a “motivated adversary” was able to discover and exploit the vulnerabilities. We translated all information released thus far by Facebook into a hands-on environment that contains similar vulnerabilities. Your mission, is to assume the role of the Adversary and exploit the vulnerability!
We believe that when developers understand how software flaws are exploited, they are in a far better position to discover and prevent similar mistakes from being made in the future. Furthermore, if security is the “absence of vulnerabilities”, you can improve it only if you can actually reason about possible vulnerabilities.
Chaining vulnerabilities together
Historically, cyber attacks have mostly involved exploiting a specific flaw or bug to get privileged access to a system. Following an arms race between attackers and defenders, many modern attacks exploit a chain of vulnerabilities that together yield the attacker elevated access or control over some assets. In the Facebook breach, the attackers got access to 30 million accounts! Worryingly, the attack chain was discovered only because it generated an anomalous spike of activity on the social network while it was being actively and automatically exploited by an attacker between September 15-24 2018.
The Facebook attack chain
#1 "View As"
The first is an omission in the “View As” privacy feature. Specifically, “View As” allows a person, say Alice, to see what her profile would look like she if logged on as another user, say Bob. Normally, Alice should of course not be able to do anything in this mode aside from viewing her profile as Bob -- “View As” is a view-only interface. However, Alice would erroneously be allowed to post a “happy birthday” video as Bob to her profile.
#2 Access token for the wrong person
The next mistake in the chain concerns Facebook’s video uploader within the “View As” mode. In this mode, when Alice uploads a birthday video as Bob, the code incorrectly generated an access token not for Alice, but for Bob. As mentioned, access tokens are a common and convenient mechanism for applications to automatically authenticate themselves with something like a password, having already been granted privileges to do certain tasks by the issuer of the token.
#3 Too much privilege
The final vulnerability is that the access token generated by the video uploader was far too privileged: it provided the same permissions as the Facebook mobile app. Because access tokens are intended to authenticate applications automatically, they are not subject to multi-factor authentication that we often require from people. Alice thus obtains an access token whose privileges are close to that of the Facebook mobile app on Bob’s phone. Although the vulnerability did not affect Messenger and the contents of private messages we will use that to demonstrate possible impact of the vulnerability. Message content could only be exctracted if the target was a page admin and recieved message through Facebook.
A social network is a small world
The impact of this vulnerability chain is greater than the sum of its parts. Alice, on her own accord, generate access tokens that give her effective privileges as any of her friends. Masquerading as Bob, she can in turn compromise any of Bob’s friends, and so forth. Facebook itself has studied properties of friendship chains in its social graph and found that the average degree of separation between a random pair of users is only about 4.5, which is even shorter than Stanley Milgram’s popularized “six degrees of separation” for the U.S. population. Moreover, how to navigate the social network to a given target (which of my friends’ friends are friends with some of the target’s friends?) has been studied extensively.
An attacker could wield this attack in two major ways. On one hand, if you have a specific target in mind, you need only attack a few Facebook users (friend-of-a-friend chains) to get to full access to their account. On the other hand, if you want to attack a large group, the tightly knit structure of a social network through friendships allows you to easily grab access tokens for vast groups of users. In the case of Facebook, the attacker began with access to a small set of real Facebook users, proceeded to automatically compromise access tokens for 400,000 of their friends, and then gathered partial information for another selected 29 million of their collective friends, including contact details. For 15 million people, this included the last 10 places they checked into or were tagged in, 15 last searches, pages and people they follow, devices used to access Facebook, and full profile information (birth date, gender, locale and language, relationship status, religion, current city, etc.) We do not yet know if specific users could have been targeted, and Facebook claims it is investigating this possibility.
Become the Adversary
To give you a real feeling for the attack, we have created OpenBook: an application providing similar functionality to Facebook, including the infamous “View As” feature that allows you to see how your profile would be seen by your friends. We note that the reading of messages is for Simplicity of presentation and illustration purposes since Facebook has since stated that no message content was available to the attackers, only message metadata. We invite you to exploit the vulnerabilities in OpenBook and gain access to the account of “Lark Underberg” and glean through his private messages…
OpenBook is implemented in Adversary, our online training platform that is intended to train developers and IT personnel about security in a hands-on manner from the vantage point of the hacker. OpenBook is one of over 37 interactive and gamified missions that also cover the most common web vulnerabilities (OWASP Top 10). We continually add missions to explain and distill new attack vectors as they appear so that your developers can stay abreast of the threats that are constantly evolving. We hope you try out Adversary – it might offer the security skill set that you or your developers need to prevent the next big data breach!