Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? In this episode? I want to talk about Facebook. Well, I don't want to talk about Facebook, but I feel obliged, compelled to keep talking about this network. It's a network. Everybody loves to hate. You may be watching me live on Facebook right now.
It's an interesting sort of conundrum for all of us. But there was big news out of Facebook on the day outside on Friday, they announced that over 50 million accounts had been hacked and of course, everybody rightfully so started to freak out, but as the technical details kind of came out, um I started diving into the situation a little bit deeper to try to figure out if they handled it.
Well, really what the consequences were for us as users. So here's what happened, at least as far as we know, based on publicly available information, 50 million accounts were exposed through a combination of three separate bugs or vulnerabilities. That's an interesting chain where Attackers didn't use just one issue or even two, they actually had to leverage three separate things that in isolation weren't that big of a deal.
And this is something we're seeing more and more in general with hackers, with malicious actors where they're chaining little things together to create a bigger problem. Now, from defenders, that's a real big issue because now we, we normally today classify vulnerabilities based on their individual isolated impact.
So you say, oh, that's a minor vulnerability. We're not going to worry about it right now. We've got this other thing that's much more important. But what we've seen time and time again, we saw it at the pound to own, which is a hacking competition on a positive way for positive research.
We've seen that for the last couple of years where Attackers have, in this case, researchers have been using multiple vulnerabilities to create a far worse outcome and that's exactly what happened to Facebook on Friday. Um They announced or at least they announced it on Friday was that hackers used three different vulnerabilities from basically three different teams from what we can tell on the Facebook side, at least.
So that's why it wasn't caught, um, to escalate their access into the Facebook infrastructure. Now, you may have noticed a couple of years ago, you kind of stopped logging into Facebook. There's a reason for that is obviously that would reduce your engagement.
It would be a pain in your butt. If every time you picked up your phone, you had to log into Facebook, the way that's done in the back end is once you successfully log into Facebook Facebook creates a token and that's a unique, really long, complicated set of characters and it stores that token on your device, whatever you're logged in for.
And it keeps a copy of that token on the Facebook side. So that when I then pick up my phone and click on the Facebook app, it checks that token with Facebook. Facebook looks and says, you know what that really long complicated string, that token that's valid right now, I'll let you have access to Mark's account.
And what happened with these hackers is after they escalated through these three bugs, they gained access to the Facebook side of the token. So your device wasn't broken into, but Facebook list of those matching tokens was accessed and they got 50 million of them in response when Facebook found out about the issue.
The first thing they did was they looked at every account that had used the view as feature. Now, this is one of the vulnerable features that these hackers used. What it does is it allows you to check your security policy ironically, on your Facebook account to see what it would look like if Joe was looking at your account or Francine or Fred or whoever was looking at your account.
So it's a way for you being logged in to see how other people would see your information, super useful, very powerful feature that's currently disabled because of this. So what happened was they were able to leverage a bug here to pull down a copy of Facebook's token for your login.
So now they had a valid token. And so do you on your device? So what Facebook did was they looked at everybody who had ever used that feature. So that's the normal usages for users as well as the hackers and they wiped all of those tokens out.
So that's why 90 million is the number, you hear 50 million accounts were actually affected. 90 million accounts were reset because 90 those extra 40 million were users who had taken advantage of this security feature to see how their profile looked from other people's profiles, the problem with all of this.
So it's a great reaction. Facebook saw the issue. They, they took um uh uh they went overly conservative and, you know, even though they knew there were 50 million that were accessed, they just wiped everybody just to be sure. Um which is great.
It was a minor inconvenience for users when they picked up their app on Friday, they had to log in. The problem is the level of communication because bad things happen, they're always going to happen. You need to be out in front of it.
You need to be honest, you need to be open with the users. So these people just had to log in and there wasn't from my knowledge from any reporting. There wasn't a prompt that said, hey, your account was potentially affected. We've reset it.
They were just saying, oh, I guess I have to log in again and then trying to dig up the information on Friday, it wasn't immediately apparent. Now in Facebook's defense, not a phrase I say often when a cybersecurity incident like this is evolving, there's not a lot of information.
You don't have all the answers up front. It takes a while to get them. But at the point where they invalidated those log in tokens and forced 90 million users to re log in, they knew that there was a potential to affect them.
So that's when the communication should come out in. More than just the Facebook blog. They have the ability to push a message to all these users. They should have done that. In fact, they should have done it to all users and said, hey, if you're not affected, right?
Because you think about it, 90 million users is probably about 6 to 8% of their user base depending on the numbers you see lately. So it's a significant chunk of users. And it would make sense in this case to alert all users and say if you did not have to re log in, you were not affected or better yet, hey, we impacted you or you weren't impacted because there's no further steps you can take as a user beyond invalidating those tokens.
Facebook already took their logical step of invalidating the token so that the hackers now are denied access. But that information is potentially out there. The only thing additionally you as a user can do is go back in your timeline to see if there's anything posted that you didn't post that maybe they posted.
But really that doesn't seem what the root of this attack was. It seemed like it was harvesting personal information of 50 million people and it seems like it was quite successful. So that's the deal with the Facebook thing. Some things to learn from some things to compliment like good swift reaction in users' favor, which is always a positive thing.
But that communication definitely could have been better, especially for a platform that is all about communication. You would hope that they would have come out and said, hey, everybody, you were, here's what went on as opposed to just putting up a blog post and then letting the media report on things as the information kind of came out and as they could locate various experts.
So, you know, time and time again, it happens with the breaches where communication is absolutely critical. I'm sure I'll cover that more in depth. But really at this point, the easy takeaway for breach notification and talking to users is be open and honest.
Yeah, it sucks. But you know what something crappy happened. It's already a sucky situation, uh you know, shutting people out and not giving them the information they need at the right time. Just makes things worse. Um what do you think? Let me know, hit me up online at marknca uh for those of you on the vlogs.
And ironically on Facebook, hit me up in the comments down below as always for podcast listeners and everybody you can hit me up on email, uh me@markn.ca. I hope you have a fantastic day. I'm on the road a bit this week.
Um but I will keep trying to broadcast um though, uh Wednesday won't hit the time because I'll be uh live uh key notting uh sector in Toronto if you're there, uh swing on by, say hi. Um Have a fantastic day.
We'll talk to you online and we'll see you on the show tomorrow.