Facebook leaks data (including private conversations) from 50 million accounts

IT Voicet_1

Facebook leaks data (including private conversations) from 50 million
accounts
40 million more “likely” affected If you were born in the late 80s, you probably know the
meaning of AFK. Otherwise, not only that you likely have no clue what it is, but chances are
that you never logged out of your account. And that was perfectly fine.Until today, when
almost 90 million users have found themselves logged out of Facebook hours ago as a
precaution to what appears to be the worst privacy blunder of the social network to date.
The story, frame by frame
As per Facebook‟s announcement, almost 50 million accounts have been
compromised through a daisy-chained vulnerability in the View As feature, which allowed an
unknown party to snatch authentication tokens of these 50 million users. These
authentication tokens allow you to stay logged into the account whenever you refresh the
browser page, reboot the computer or put it to sleep. As long as you have the token, you are
granted access to your account without having to actually go through the login process.
Whoever has this token is also exempt from going through the login process, including
whoever snatched it through this vulnerability.
There is little additional information about this bug, except for the fact that it has been
partially mitigated by the social network disabling the View As feature, but it‟s worth
mentioning that there is no mention of a Bug Bounty reward or an account of a white-hat
hacker reporting this vulnerability. At this point, it‟s safe to assume that this was not a
controlled report and that a third party literally walked away with at least 50 MILLION access
tokens to as many accounts.
Here comes the painful part
Facebook Messenger is world‟s second largest instant messaging platform with almost 1.3
billion active users. It‟s also world‟s largest instant messaging platform that does not have
end-to-end encryption turned on by default. This means that chat history is always available
from whatever machine you are logging into, unless you have manually turned on the Secret
Conversations option. At this point, it‟s safe to assume that, if you got logged out of Facebook
for no apparent reason:
1. Most likely your account was among the ones that have been hacked. Which brings us to
point number 2.
2. Your private posts, conversations and every piece of information, like check-ins, pictures
sent via chat and so on, have likely fallen into the wrong hands. If, at any point, they
become public following a “data dump”, marriages will get broken, friendship will end
abruptly and sensitive pictures will flood the internet. Life will never be the same as
before, “thanks” to a small bug in a platform.
3. Other accounts using Facebook authentication might have been accessed.
As of now, it is hard to tell what hackers were able to get their hands on. However, given the
complexity of the bug and the generous timeframe (the bug was caught last Tuesday by the
social network, but it could have been exploited for way longer than this), it is fair to assume
the worst. The reason you had to login again today was Facebook‟s way of denying hackers
access to the accounts: they invalidated the access token of both the 50M confirmed
compromised accounts as well as the 40M accounts suspected of being compromised.
And, as we‟re talking about extremely sensitive content such as private chat conversations,
group chats and business-to-consumer interactions, changing your password won‟t be enough
to make everything OK again. So, if you‟ve had sensitive content shared on the Facebook
Messenger, it‟s time to come to terms with it. If you‟re a company that uses Facebook
Messenger for support purposes and you‟ve been logged out of your account, you‟d better
start evaluating what information has been exchanged across the medium and start notifying
customers. This is by all account a data breach that falls under the GDPR and should be
treated as such.
What you should do now
The disclosure goes along the lines of the old adage saying “never put your eggs in one
basket”. Social networks have become the centerpiece of our digital life that blurs into the
physical life itself. It is also an account that social networks can do so much more than
influence your shopping behavior or steal an election: it can have serious consequences on
your lifestyle based on private social interactions.
Unfortunately, what has been seen cannot be unseen and there is little you can do right now
to change the course of things. What you should do though is consider your future options:
1. Understand that social networks are not bulletproof places where your secrets are safe.
Plan for the worst and act accordingly.
2. Never put something in writing that you would not like to leak several years from now
when the platform gets breached.