Since the European Union’s (EU) General Data Protection Regulation (GDPR) took effect at the end of May, it’s been a waiting game to see what actions might trigger a major response. Although there has been an overall spike in complaints since the regulation took effect, there hasn’t been a large enough event to catch headlines state-side. Facebook may have changed that this past weekend, as the social media giant revealed that at least 50 million user accounts were breached. Yikes.
In a statement released on September 28, 2018, Guy Rosen, Facebook’s VP of Product Management said that the data breach was discovered on Tuesday, September 25, and that the team was rapidly working to address the issue. In the disclosure, Rosen said it was “clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’ a feature that lets people see what their own profile looks like to someone else.” From there, the hackers were able to steal access tokens, which are “digital keys that keep people logged in to Facebook,” so that they do not need to re-enter their password every time they launch the platform.
This is a devastating revelation, as the theft of an access token is akin to the direct theft of login credentials; a hacker can use that token to gain full, unfiltered access to that user’s account, including apps that the user has linked to their account.
The Attack Platform
In the technical details provided alongside the disclosure, Pedro Canahuati, Facebook’s VP of Engineering, Security and Privacy laid out the attack vector, which was open as “the result of the interaction between three distinct bugs.” They were:
- A vulnerability in the “View As” feature prevented it from rendering a user profile as view-only, providing the opportunity to post a video;
- The July 2017 version of the video uploader feature, which was presented in “View As” mode as a result of the vulnerability, improperly generated an access token granting the permissions of the Facebook mobile app;
- When the above bugs interacted, it generated the access token not for you, but for the user who’s profile you were looking up via the video uploader function.
So, to break that down, you could use “View As” mode to look at your profile as a friend and use the composer that lets you post a happy birthday message to someone’s profile. When activated, the video uploader feature would generate an access token in the HTML of the page for the user who’s name you entered into the composer. Rinse and repeat.
With those tokens, a hacker could then bounce from account to account, repeating the process until they obtained full account access for anyone who had used the “View As” feature in the previous year.
GDPR and the Aftermath of the Attack
In what was probably a wise move, Facebook took immediate action to kill the threat. First, they reset access tokens for the at least 50 million accounts that were directly affected, and another 40 million accounts “that have been subject to a View As look-up in the last year.” They’ve also completely disabled the View As feature (which ironically served as a privacy tool, allowing users to adjust their privacy settings based on what they saw) while they conduct a full security review of the code.
Dustin Volz, a cyber and intelligence reporter for the Wall Street Journal asked (during a press call) about the attack’s level of sophistication and who may be involved, Rosen responded that “we may never know” the hacker’s identities.
Following the disclosure, the Wall Street Journal reached out to Ireland’s Data Protection Commission, which serves as the EU’s Facebook privacy lead to see what actions were in the works. In its response on Saturday, September 29, the Commission noted that it had contacted Facebook regarding the scale of the breach, and to determine whether or not the accounts of EU residents were caught up in the hack.
The Journal noted that “under GDPR, companies that don’t do enough to safeguard their user’s data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher.” Breaking that out for Facebook, their fine would be $1.63 billion.
Again, despite the increase in privacy complaints since GDPR took effect, the EU has yet to impose fines on anyone. With the year Facebook is having, it’s easy to imagine the company becoming the poster child for heavy penalties under the privacy regulation.
While no federal-level equivalent to GDPR exists in the United States, there are 50 state data breach laws currently in place, and measures like the California Consumer Privacy Act are likely to expand as privacy concerns grow. If you are in the business of handling consumer data or any other type of personally identifiable information, it doesn’t hurt to make sure you’re doing all you can to comply with the laws.