The recently announced Facebook breach directly affected 29 million users (down from their original estimate of 50 million), and others like it, continue to occur nearly every day. Consider the Google+ user data exposure announced just recently, which triggered the eventual shutdown of the Google+ social network. The regulatory scrutiny and reputational damage incurred by companies is real and must be addressed at the board room level.
Preventing breaches can be a significant challenge, however, because modern web application and software design has become increasingly complex, and most security programs don’t take a holistic approach to managing all the points of software exposure.
Defining software exposure
We live in a world of massive digital transformation. The technical backbone of this transformation is software. Software can be found everywhere. It is in our homes, in our phones, and in our businesses. Over 80 per cent of the code in today’s software applications is open source. There will be 30 billion connected IOT devices by 2020. 85 per cent of customer interactions will be managed without any human interaction by 2020. Software is everywhere and it has become incredibly complex.
Furthermore, accelerating “time-to-market” has become the new name of the game to bring products to market faster. Amazon deploys to production every 11.6 seconds. Facebook on Android alone, does between 50,000 to 60,000 builds a day! DevOps has changed the way software is built and has led to new risk factors in the form of “Software Exposure.”
Anatomy of the Facebook breach
Three software flaws in Facebook’s systems enabled this attack. Oddly enough, the first two bugs were introduced via an online tool intended to improve user privacy. The third flaw was in a tool that allows users to upload birthday videos easily. Attackers used Facebook’s “View As” feature in addition to the video uploading program to steal access tokens. This allowed attackers to take control over a user's profile, which may lead to much greater consequences in the future – blackmail or phishing, for instance, or the exposure of highly private information.
"It’s important to say—the attackers could use the account as if they were the account holder." - Facebook’s vice president of product management Guy Rosen
Complexity and privacy risks
People may or may not be aware that every app they open is potentially a privacy risk. And when using a known social media platform, they are most likely not aware of the origin of the app or link they open. This is especially the case in social media platforms such as Facebook as third-party applications and websites intertwine into the main social media user interface. You think you are still on Facebook but you actually are not.
This is an example of the complexity of the application in addition to somewhat benign issues by themselves combining to formulate a significant breach. In this case the security issue in the “view as” functionality combined with the token issue in the video uploading program allowed the breach to happen. This is yet another prime example that breaches are not always self-contained issues but are a series of events or actions working together.
Consequences of the breach
Although the degree of impact is still under investigation, Facebook logged around 90 million people out of their accounts when they discovered the breach. That may not be sufficient, however, as the company confirmed that attackers may have gained access to third-party applications and websites – those that use Facebook Login to authenticate login.
Facebook Login makes it easier for people to verify their identity via their Facebook profile across the web, in different sites and services, designed for convenience rather than security, however. Since the Facebook breach, it’s possible that accounts relying on Facebook for authentication have also been compromised. This puts pressure on those third-party apps and services to verify the security of accounts that use Facebook Login for access – and to notify those users if there has been suspicious activity on or changes to those accounts. It’s important to note that although hackers could have used the flaw to steal information belonging to third-party apps that use Facebook as a login method, Facebook said that no outside apps appear to have been affected.
What can you do after a breach?
All of these factors make the Facebook breach particularly alarming for end users – certainly for the millions of users affected by this most recent breach, but also for the 2.23 billion monthly active users worldwide. Users worried about the security of both their Facebook account and any accounts accessed by Facebook Login may be looking for ways to lock down their account, and rightly so. Here are four initial steps to take:
- Make sure your passwords are complex and unique
- Enable two-factor authentication whenever possible
- Review authorised logins to third-party applications – log out of them and back in to reset the access token
- Verify whether your account was impacted in the Facebook breach
Facebook is taking this breach seriously, which is an important step. The approximately fourteen months that these flaws were present in the software are cause for concern, however. Google took their data exposure seriously enough to not disclose it publicly for months, then announce a shutdown of the Google+ network. Software security must be top of mind for organisations that reach so deeply into so many lives. Seemingly small flaws like the ones responsible for the attack at Facebook can have a huge impact, showing once again how critical a holistic approach to software security is in modern software development.
Matt Rose, Global Director Application Security Strategy, Checkmarx
Image Credit: Katherine Welles / Shutterstock