In extreme cases, an attacker could use this access to take over the accounts of the people they are spying on - read their private messages, post things on their behalf, and play havoc with their digital lives.
First Published 1st October 2018
Access tokens - kinda important to get right.
4 min read | Reflare Research Team
On Friday, September 28th, Facebook announced that a vulnerability in one of its lesser-known features had been discovered and abused by attackers. Media reports about the breach have been somewhat sensationalist. In this briefing, we will take a look at what happened, how the issue was mitigated and what the consequences might be.
What happened?
Facebook discovered that a feature known as “View As” contained a bug allowing attackers to take over other users’ accounts. The “View As” feature allows users to see how their own page looks to certain friends or non-friend users. It is useful for confirming if the privacy settings on an account are adequate and for checking unforeseen oversharing.
Due to a bug, the feature allowed attackers to steal access tokens for target accounts.
What about the 50 million users?
This number is taken directly from Facebook’s announcement. However, some clarification is needed. Facebook states that 50 million users were affected. Media reports have taken this to mean that 50 million user accounts were compromised. While that is a possibility, it is likely that Facebook included anyone whose profile was viewed using the “View As” function in these numbers. After all, even if a friend uses the function for legitimate purposes, the wrongly generated access token would still be sent to that friend. From Facebook’s perspective, it is impossible to tell which requests were legitimate and which were made by attackers looking to steal the tokens. Thus, the number of actively targeted or even compromised accounts is likely to be much lower than 50 million.
What are “access tokens”?
Many different schemes of varying complexities to authenticate users with web applications exist. Ultimately, there is always some form of shared secret information between the application and the user. Such information is commonly called a “token”. Stealing an access token is not equivalent to stealing a user’s password. But it still allows attackers to use the application as the affected user without logging in. Subsequently, access tokens falling into the attacker's hands is a very severe problem.
How did this happen?
The incident is fascinating because the issue at hand is so common. The ongoing updates to Facebook’s code-base are ultimately what led to the breach.
On a technical level, an access token is generated for every resource (texts, images, videos)that the user loads from Facebook. This access token should belong to the user currently logged in to Facebook. However, a bug in code for handling video posts within the “View As” feature meant that access tokens for the target user were mistakenly generated instead of access tokens for the viewing user.
In less abstract terms, if Bob used the “View As” feature to see how his profile would like to Alice, and if a Video was then shown on the simulated page, that video would be loaded using Alice’s access token. It should be Bob’s access token. An attacker could now use the token and log into Facebook as Alice.
What are the consequences?
While several news outlets have started reporting on potential billion-dollar EU fines, we consider this outcome to be highly unlikely. Such a fine would require all 50 million accounts to have been actually compromised and negligence on Facebook’s part. Considering the timely and comprehensive response by Facebook and the likely much lower number of affected accounts we discussed above, both are highly unlikely scenarios.
It is however very likely that the EU and other government bodies will level lower fines against Facebook both to make a political statement and to test out legal proceedings under recent legislation like GDPR.
We presently do not foresee this having a significant impact on Facebook.
From a user perspective, nothing more needs to be done. Facebook has proactively reset all potentially affected access tokens and users had to re-login. If your account is working fine now, you are in the clear. If you cannot log into your account or if your password was suddenly changed by someone that isn’t you last week, you should contact Facebook to have your identity verified and your account recovered.