Facebook recently announced it had suffered what is now its second major hacking this year after the highly publicised Cambridge Analytica scandal, drawing widespread concern from users, cyber security experts and regulators.
Hackers exploited bugs in the Facebook code for the “View As” feature last Friday, stealing 50 million users’ “access tokens”—the equivalent of digital keys to a Facebook account. With those so-called access tokens, hackers could take full control of users’ Facebook accounts.
The giant social network addressed the vulnerability by, among other things, resetting the access tokens for all 50 million affected users, and also another 40 million who may have been impacted.
If you found yourself logged out of your Facebook account last week, your account was probably among those affected.
Facebook’s widespread use, however, made it such that the attack wasn't confined to the social media platform alone.
Facebook's Hacking Far Reaching Effect
According to the California-based social media company, third-party apps that people log into via Facebook were potentially also caught up in the mess.
Apparently, hackers can potentially use the stolen access tokens to login to users’ account and then exploit Facebook's Single Sign-On (SSO) feature—which lets you use your Facebook account to access other sites and services, rather than creating multiple passwords for every site—to access scores of data stored on other websites.
“The access token enables someone to use the account as if they were the account holder themselves,” Facebook's vice president of product, Guy Rosen, said in a statement. “This does mean they could access other third-party apps using Facebook login.” Rosen added, laying bare the potential ripple effects.
SSO is an easy and increasingly common way people log into apps like Paypal, Spotify, Uber, and Airbnb with their Facebook profile. It's a quick and convenient method for managing multiple passwords, but as last Friday's hack illustrated it can also make those accounts more susceptible to data breaches.
While neither Facebook nor any third-party sites have confirmed the hack spreading onto other platforms, SSO access tokens that make your Facebook profile a master key for opening tons of doors across the web does raise internet-wide concerns about users’ data security and privacy.
Internet-Wide Data Security Concerns
Considering that similar high-profile data breaches exploiting SSO all-access tokens have occurred on other major social media platforms besides Facebook, people’s digital security doesn’t seem so assured lately.
Last year, a Twitter app hack led to security breaches in a similar fashion, illustrating how hackers can intercept accounts without a password. The danger here is that hackers could potentially get access to sensitive info from people’s private messages to their passport information, all without leaving a trace.
In an August study cited by Wired, computer scientist Jason Polakis and his colleagues analyzed the many ways hackers could abuse Facebook’s Single Sign-On tool. The researchers found that in compromised accounts, hackers could read users' private messages on Tinder, track a victim's trips in real-time on Uber, and pilfered passport numbers and TSA information from Expedia.
Polakis and his team were able to pull all of this sensitive and private information from an experiment with just a limited number of compromised accounts and third-party sites.
"If you have a Facebook account, even if you’ve never used it to log into any other website... an attacker could still use the Facebook token and get access to a user’s account on third-party websites,” Polakis says.
Protect Your Data and Privacy Online
Facebook is not the only social media company offering the SSO feature. Google, twitter, and many other so-called identity providers have their own version of it. However, Facebook's SSO feature is the most widely implemented, according to Polakis. To spot any unauthorized access, Facebook recommends that users look at “active sessions” and report issues to the platform.
You may also want to choose two-factor authentication in your Facebook accounts to keep your data and privacy safe, as well as implement this measure on your other social media accounts if you’re feeling like they aren’t inspiring a lot of confidence regarding your digital privacy and security.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen said last Friday in a note on Facebook. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.”