Facebook has been fooled by hackers again, this time affecting nearly 100 million users

At 9:41am on September 28, 2018, Facebook posted on its news website (https://newsroom.fb.com) that it had discovered a security vulnerability that could allow hackers to gain access to information that could potentially expose the information of nearly 50 million users.

In the press release, FB vp of product Management Guy Rosen writes:

1. The technical team discovered the bug on the afternoon of September 25. 2. The security vulnerability appeared in July 2017, was identified on September 25, 2018, and detected on September 27, 2018. 3. Currently, FB has basically confirmed that some hackers have taken advantage of this vulnerability to launch attacks. 4. On the morning of September 27, about 50 million Facebook accounts were compromised. 5. After the problem was discovered, FB reset the access information of the 50 million users affected. 6. In addition to the 50 million users affected, FB also did the same reset operation for another 40 million users. A total of 90 million users are affected. 7. On The evening of September 26, Facebook said it had fixed the bug and notified law enforcement authorities, including the FBI and the Irish Data Protection Commission.

Facebook shares, which were down about 1.5% before the disclosure, fell further on the news, closing down 2.59% at $164.46 after hitting an intraday low of $162.56.

The security flaw exists in the code for Facebook’s “View As” feature.

As the privacy Settings of FB are extremely complicated, users often do not know that others can see or not see some information they post.

View As is a feature that allows users to View their accounts in the third person and verify that their privacy Settings meet their requirements.

FB revealed that hackers had used the flaw to steal users’ access tokens.

The purpose of the access token is to save the password for the user so that the user does not have to enter a password every time they log in to authenticate.

With a token, a hacker can hack into someone’s account and see posts and messages that have been set to remain private.

In response, FB reset access tokens for the 50m users affected by the bug and another 40m who could be targeted by further attacks.

According to the official information, we cannot confirm how the access token in the vulnerability used by hackers is used and leaked.

However, we can take OAuth2 to introduce the function of access token and how to ensure security.

OAuth 2 is an authorization framework that allows third-party applications to access user information in services through user authorization. The most common scenario is authorized login. A more complex one is that third-party apps can access user information or repository information through Github’s interface for developers. OAuth2 is widely used in the third-party services of Web, desktop and mobile apps to provide authorization authentication mechanism, so as to achieve data access rights between different applications.

The most typical Authorization Code Authorization mode in OAuth2 is as follows:

We divided the entire OAuth2 authentication process into three phases.

The first stage is mainly to obtain authorization from users, corresponding to steps 1 and 2 in the figure;

The second stage is to apply for access_token, which corresponds to steps 3 and 4 in the figure.

The third stage is to obtain user data using access_token, corresponding to steps 5 and 6 in the figure. This process involves a lot of sensitive parameters and data. The access_token is, to some extent, the user’s session ID.

In other words, once a hacker has access to an Access_token, he can access your user data even if he doesn’t know your username and password.

It can be said that the OAuth2 protocol itself is relatively secure, at least more secure than a purely username and password login.

If the FB access token leakage problem occurs, at least the password is not disclosed, as long as the site resets the user’s access token, then the old access token will be invalid. In this case, the impact will be less than the user name and password leakage.

However, because OAuth introduces a lot of vulnerabilities, most of them are caused by improper use. Cloud has disclosed many, many website bugs caused by incorrect implementation of OAuth:

• CSRF hijacks a third-party account

• WooYun: Damai is at risk of account hijacking

• WooYun: Meilui said oauth vulnerability can hijack accounts

• Leaking code for parameters without validation

• WooYun: Interception of OpenID and OpenKey of Tencent’s microblog open platform

• WooYun: Potential risks in the process of OAuth2.0 obtaining Authorization Code

• Replay attack

• Inwatch-inhealth Package several security bugs on the client interface

• Application impersonation, obtain token control user account

• @Jiong Tiger Zhang Jianwei, Sina Weibo Android client SSO authorization defects

• WooYun: Tencent open platform single sign-on SSO scheme design flaws lead to phishing risks

• Obtain the Access token directly with the platform username and password

• WooYun: Kaixin001 Android client cracked the vulnerability by violence, tested 2000 accounts and succeeded 132

• 315 party: Android phone applications steal user data seriously

The specific security precautions for OAuth2 are not covered here. Interested friends can Google. Maybe I’ll write a separate article later to analyze it further.

“This is a very serious security issue, and we’re taking it very seriously,” Mark Zuckerberg, Facebook’s chief executive, said in a swift response to the Facebook breach.

Facebook is the world’s largest social platform, with 2.2 billion users. In the 15 years since its founding, the company has also had fewer breaches of information due to hacking attacks. Strictly speaking, there have been only one or two hacking incidents of large scale and bad influence.

In 2013, the contact information of more than six million users was exposed after a programmer botched the code himself and the code was checked undetected.

Around 2014 and 2015, Cambridge Analytica, a data analysis company, abused the developer platform of FB to conduct illegal data mining on more than 87 million users and sold the data to some local election teams for interference in the election. FB’s senior officials knew this but did nothing.

Zuckerberg appeared before Congress earlier this year over the scandal. FB was forced into an investigation that wiped tens of billions of dollars off its share price.

The investigation is still unfolding, and facebook has barely recovered from the Cambridge Analytica scandal when the hack occurred.

Strictly speaking, of course, FB is also a victim. Unfortunately, it has fewer and fewer sympathizers. After the announcement of FB, there was a lot of abuse on the Internet, which basically means:

“After all this research on how to mine our data to make money, why can’t you study your vulnerabilities more?”

In the wake of the incident, reports in the mainstream media in the United States invariably quoted Zuckerberg’s oath from a previous hearing:

“We have a responsibility to protect your data, and if we can’t do that, then we don’t ration your services.”

Fsy: Facebook has been hacked again, this time by nearly 100 million users. (https://www.pingwest.com/a/177864) request research & study notes (http://www.tasfa.cn/index.php/2016/03/26/note_of_oauth/)

How to add an Integer object to a List whose generic type is Integer?

Path to God issue 013: Java Collection class – Map.

– MORE | – MORE excellent articles

• Java 11 is here to tell you whether or not you should upgrade

• Do you really know how to use List in Java

• JVM garbage collection is that simple

• Too complicated? How can you reduce software complexity

If you saw this, you enjoyed this article.

So please long press the QR code to follow Hollis

Forwarding moments is the biggest support for me.