After months of repairing its public image, Facebook sent shockwaves through the privacy world last week when it acknowledged that it had inadvertently introduced a set of security bugs more than a year ago and then failed to notice as attackers exploited those bugs to mass access and potentially harvest the private information of more than 50 million users. As opposed to an ordinary permissions error, Facebook’s breach was about as serious as it gets: the attackers were able to get Facebook to issue them an access token in the name of any user they wished, signing them into Facebook as that user with full privileges, including the ability to use Facebook Login to sign in as that user into any of the potentially more than 42,000 sites that allow such cross-authentication. What does Facebook’s breach teach us about how social media companies view our safety and security compared with their own?
Facebook’s latest security scandal is a cautionary tale about the complexity of our modern online world. The websites that power the increasingly centralized web are so immense and have so many moving parts that they are essentially web-based operating systems, with all of the unforeseen organic interactions that have plagued operating systems since the dawn of the computing era.
Moreover, as those online platforms have increasingly centralized the web inside their walled gardens, they have become primary targets not only of traditional cybercriminals, but of nation states themselves. The stakes couldn’t be higher, with the private information of more than 2.2 billion people and the ability to control the flow of news and potentially even disrupt or influence the outcome of an election, all hinging on Facebook’s programmers not adding a bad line of code.
While bugs and undocumented or inadvertent behaviors are an unavoidable part of the software development process, Facebook’s immense resources and brand cachet mean it can attract top engineering and security talent that in theory should be able to prevent most such gross security errors and detect very early on those errors that do slip through. A small startup of 3 people might be forgiven for introducing an authentication bug, but when Facebook does it, it really reflects both the complexity of Facebook’s systems and the lack of both proper testing procedures and lack of robust ongoing behavioral analysis to flag suspicious account accesses.
The authentication infrastructure of any online platform is its most sensitive and critical user-facing component. While complex multi-component interactions like that which appears to have befallen Facebook can be extraordinarily difficult to catch, the details the company has released to date appear relatively straightforward for a motivated attacker to have discovered and exploited. As the near-daily hacks and breaches that befall the online world remind us, there are legions of extremely skilled and motivated attackers probing popular sites every hour of the day looking for precisely these kinds of obscure complex interactions, especially in modules relating to content uploading and account switching.
The company announced today that it does not believe that the attackers used Facebook Login to attempt to log into any external sites using the breached credentials. This means that their primary focus was on exploiting Facebook itself, rather than merely using it as a jumping-off point to the rest of the web.
That the attackers were focused on Facebook itself raises serious questions about the attack and in some ways makes it far graver than if the focus had been merely on gaining access to Facebook Login. That the attackers viewed people’s private Facebook data as so valuable as to burn through an extraordinarily valuable exploit to mass access it reminds us of just how damaging the information is that we freely hand over to Facebook and its advertisers to mine each day.
What were the attackers’ motivation for the breach? Was it for mass harvesting of data for phishing attempts, financial fraud or nation state use for targeted disinformation campaigns or espionage?
The latter possibilities are especially troubling given that Facebook has not yet disclosed whether there were any commonalities among the 50 million breached accounts. Were they completely random accounts of everyday Americans or were they centered on business or governmental leaders? Military and intelligence personnel? Financial services employees? Perhaps low-level employees with privileged knowledge such as executive assistants or IT personnel?
Facebook is an especially rich source of information for hyper personalized phishing and fraud efforts, but perhaps its greatest value is as a source of blackmail and insider information. Everyday employees of major companies become aware of confidential information in the course of their jobs and some of them choose to disclose bits and pieces of that information on their Facebook pages. Even something as seemingly innocuous as announcing that they will have big work news to share next Monday could tip off someone who knows a big announcement is coming from their company’s division but doesn’t know the date it will be announced. Or announcing that they are so proud of their work on a major new product that was just released could yield important information based on the fact that their division wouldn’t ordinarily be involved in such a product release and so on. They might also divulge information to spouses, family members, close friends and others who might in turn share bits of that information privately with others.
Much of that information is shared only with friends and family on Facebook but is already accessible today by working with contacts who are already friends with the person. However, many people convey confidential information more directly via Facebook Messenger or private posts, especially when asking friends and family how to deal with sensitive subjects at work or home. These communications were all accessible via Facebook’s breach.
Alternatively, imagine a nation state that targeted key elected officials and rising young political stars. Accessing their private Facebook accounts could yield embarrassing or even highly compromising information that could be used either to blackmail that official or to sway an election down the road years later by releasing it hours before voters go to the polls.
This raises the question of how Facebook missed all of this until now? Behavioral analysis is a standard part of modern best practice for securing online accounts, using a variety of indicators of a user’s behavioral history to flag accounts that are acting “unusually.” Given Facebook’s deep penetration into our lives, the company has a rich archive of how its users ordinarily behave and even if the actors were highly sophisticated nation state actors, it still should have detected unusual login and account access behavior almost immediately, not after up to 50 million accounts were accessed.
Even if the attackers purposely chose “noisy” accounts whose behaviors were already highly unpredictable, Facebook’s infrastructure instrumentation should have very rapidly warned it that several portions of its security-related code were being invoked and interacting in configurations in a way that they have not historically done so. Even at the complexity level of massive online platforms like Facebook, code still behaves according to specific design principles and deviations from its ordinary pattern of behavior are closely monitored.
Perhaps the most remarkable aspect of this story then is the fact that Facebook did not detect the breach until now. Either Facebook’s behavioral account monitoring and infrastructure instrumentation monitoring are insufficient to detect a massive breach involving its core authentication framework or else the company has simply not prioritized protecting user data and is not monitoring or utilizing the indicators it has available in an effective fashion.
More to the point, it demonstrates the differing level of care Facebook gives to the security of its own data in the form of its source code and trade secrets from that afforded to the digital lives of its users. These differences have emerged again and again such as in the special rights its CEO had to delete previous messages and that its employees are given special notification when a fellow security employee accesses their account. Imagine if the breach had been to its source code repository, making off with the crown jewels of the company, rather than its lifeblood of user data. It is likely that such a breach would have been detected far sooner with far greater care paid.
When asked how the company would respond to the argument that it is not sufficiently investing it the safety and security of its users’ data if it was unable to detect intruders accessing the private data of 50 million users right under its nose and why the company was unable to detect the breach sooner through behavioral or instrumentation monitoring, the company pointed to its previous public statements and said it had no further comment.
Putting this all together, Facebook’s breach reminds us that even the biggest Silicon Valley companies with vaunted security teams and top engineers can still introduce bugs that undermine all of that security, creating a backdoor that allows attackers to simply walk right out with all of the data they want, instead of having to hack their way in to get it. More to the point, Facebook’s inability to find the vulnerability or detect the unusual user activity for more than a year suggests critical failures on the part of its security stance and that it is not making the necessary investments to keep its user data safe. Most importantly, however, it reminds us of how immensely valuable all that data is that we keep freely handing over to Facebook each day for safekeeping.