Address
152-160 City Road
London, EC1V 2NX
Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207
Company registration no. 10243217
Facebook Login is the service which allows you to use your Facebook account to log into other sites. It’s undeniably convenient but, as we’ve reported before, it’s also risky. This is because it uses a technology called OAuth which is intended to simplify the process of logging into multiple services. It does this by creating a small text file (or token) which is used to denote a user is the owner of an account. The best analogue comparison is a key; once you possess it, you can do what you like with it and the key knows nothing about it. In the Facebook breach, it appears that attackers were able to steal the key and therefore access any accounts for which it was being used. Unfortunately, this means anyone affected by the breach who has used Facebook Login should assume their linked accounts have been compromised. And that means the true impact of this incident could be very far-reaching.
The security breach happened because of a series of bugs affecting Facebook’s ‘View As’ feature. The vulnerability is believed to have been present since July 2017, but was only identified on Tuesday after a spike in usage of the feature was noticed on September 16. It isn’t known how long attackers were able to exploit the vulnerability to gain access to users’ accounts, but Facebook has stated that no credit card numbers were stolen. The nature of the attack also means that no passwords were obtained. Unfortunately, as described above, the attackers would have had complete access to everything on compromised accounts, as well as to any accounts linked to it, including Instagram.
Facebook knows how important it is to protect its users’ personal data. It has taken steps to regain their trust following the Cambridge Analytica debacle, it has begun embedding security engineers and analysts in product teams, and it’s doubling the number of employees working on safety and security to 20,000. But, as this incident demonstrates, the code that runs Facebook is so complex that vulnerabilities are bound to exist…and be found. This is a good time to check what is on your account and sanitise the information there.
Address
152-160 City Road
London, EC1V 2NX
Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207
Company registration no. 10243217