September 25, 2018, Facebook posted that they detected data breach through “View As” function on their network. ‘View As’ function is the user can see the preview of how their account’s page is viewed on other users. The hacker exploited the bugs on this function that allows them to have tokens of over 50 million accounts. It is not sure exactly when was the initial exploited time for the hackers, but according to Facebook’s Engineering, Security and Privacy, VP Pedro Canahuati, the attackers were using three bugs on the view as function and with multiple actions, they could have many account’s tokens. Facebook’s report explained 3 bugs combination of the bugs of the function were the attack exploitation point. The first bug is when the view as function starts, the interface of the first page should appear as read-only mode, however, here the text box where other users can post the birthday post is also available to upload videos on the text box. The second bug is when the videos were uploaded on the text box, video uploader generates the token of the user’s that has privilege on the Facebook mobile app. The last bug is the worst one, and this is related to the second bug when the tokens were generated, it generates not only the token of the user who activates the view as function but also the token of the other user’s that opened the first user’s profile by using ‘view as’ function. When the token was generated, hackers could extract token from page’s HTML code page, and use this to access to the target account. After that, the hacker attack the friend of the target user, and from here repeating this to get other more account’s tokens. This is a perfect case of poorly developed software become a vulnerability since this attack does not even need the targeted victim to click the links or open the attachments. Over 50 million accounts all over the world, not specified on certain locations, tokens were breached, but there is no evidence that sensitive information such as name, gender, address, chats or credit card number.
However, this is not meaning that any of those data were not breached or safe because, with the access token that hacker took, it is accessible for the third-party applications such as Tinder, or that uses Facebook’s single- sign-on or OAuth are all be vulnerable for the data breach. These access token should not be generated or distributed this easily because these tokens are used for the users to login and once they log in once, token take over the login procedure for the users so the users do not have to put their credentials again and again, and this tokens are also used for the third party’s access too, so the exploitation of user access token is a serious problem. Facebook response on this matter starting by shutting off the ‘View as’ function temporary while fixing the vulnerability of the ‘view as’ function and reported to the law enforcement. According to the Guy Rosen, VP of Product Management of Facebook, right after they found this incident, the company “reset the access tokens of the almost 50 million accounts” and “as a precautionary step reset access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year”, so after these actions, 90 millions of Facebook users had to log in again when they access to the Facebook and other third-party application that uses Facebook access tokens. Although users do not have to change their passwords, they had to log in again and advised to check their security and privacy configurations on their Facebook app.
Also, users could find the notification of these actions once they log in again to Facebook. Unfortunately, Facebook claimed that they fixed vulnerability on the ‘View as’ function, but I checked my Facebook application, it seems that function is not available until now, and according to the Facebook’s help center comments, “this feature is currently disabled” and they did not put this function back yet. According to the GDPR, after there is a reportable breach happened, the company must report the incident to the Data Protection Commission in 72-hour timeframe. Since there is no opened time frame to the public, it is hard to determine whether Facebook actually followed the regulations. There is still on-going investigation on when and how far this data breach was impacted on and whether Facebook actually did follow the notifying regulation. After this incident happened, the value of Facebook’s in the stock market drops down for 3 percent immediately. This incident was disclosed after when Facebook was accused of leaking user’s private data to the Cambridge Analytica. After the CA and Facebook data leakage scandal, this software bug hacking, and another breach that some user’s private photos are leaked to app developers without the user’s permissions were all happened last year’s 3rd and 4th quarter. Last year, CEO Mark Zuckerberg had to attend the hearing, and answer all the questions regards to the data leakage and protections. At the hearing, Mark Zuckerberg claims that they will consider more protections on the private data protection and Facebook actually did update their user security and privacy configurations on their application. Ironically to all the commitments of the CEO Mark Zuckerberg said, there were exposed again for their poor private data management.
On March 21, 2019, In-depth security news and investigation blog KrebsonSecurity disclose that “Facebook stored hundreds of Millions of User Passwords in Plain Text”. They also expose that more than 20 million of Facebook employees are able to look up the user’s passwords without any restraints because 200 to 600 million Facebook users passwords are stored in plain text on password managing server without any encryptions. Here, Facebook admits that the passwords are in fact stored in plain text but they did not admit that there was any leakage on the password or malicious usage of this information. Despite the fact that there was no leakage on the password, the serial data incidents and breaches show that Facebook needs to seriously reconsider their data management and the secure development procedures. Many IT companies, especially on social network businesses criticized the poor data management of Facebook and also many IT experts and public opinions were more considerate on the data usage and management issues and vulnerabilities. Personally, I think Facebook had a pretty good job on how they react and respond to the public of the issues. They were not trying to disguise the problem or deny any of their wrongdoings. They also seem to have fairly good incident response rules, because, once they figure out there is a breach on one of their function, they quickly response to isolate the vulnerability by shutting off the function and reset the attacked accounts. However, it seems not making sense to me, that the social network giant IT company Facebook did not figure out the bug in the first place.
As a giant IT company, their developer or in-house white hackers should have figured out the vulnerability way before, but they failed on this. Perhaps they have poor procedures on the secure software development process. Also, after these series of data breach related incident, it is not understandable that they were not taking care of their sensitive data management. I believe that secure development procedure and data management are the most basic but most important and necessary security methods that any of the IT company should consider it in the first place. Facebook claims that this vulnerability is found and had been exploited because the hacker must be smart and well trained. It may be right on some point but I think there would be a better explanation on this incident. I think this incident is somewhat derived from the chronic problem of centralized systems. If the Facebook issues the access token on the decentralized way using blockchain technology, this hacking incident may not happen at all and may provide fair shares on ownership of a large amount of data and ultimately lead to a clean system. In addition to this, if such dramatic change to the decentralized system is not securely proven or too expensive, to have serious reconsideration on their software development procedures and data management should be applied first and foremost. Facebook should not only update their user’s privacy and security configurations, but they should also deeply reassess their development phases and each secure measures that can be reworked and followed. Also, they should reinforce their penetration testing team to make sure none of these bugs will be alive after they actually launch the feature on the applications.