Facebook Breach: Design Problem Leads to Security Vulnerability

Even if you haven’t heard of the recent Facebook data breach, you might become aware if you’ve been forced to logout of Facebook recently. The move to reset some nearly 100 million login tokens comes on the heel of the company having compromised access to over 50 million user accounts recently.

Reports indicate that three flaws in Facebook allowed hackers to break into user accounts and steal data there. Unfortunately, that’s not the worst part. If you’re familiar with how Facebook works, it also communicates with third-party applications such as Spotify and Instagram in some some cases, allowing them to be controlled through Facebook.

Although investigations are still in the early stages, according to Tim Mackey, Technology Evangelist, Synopsys (Software Integrity Group), “The Facebook network breach shows how important an incident response plan is.”

Mackey added that in the case of the Facebook breach, the incident response includes information surrounding access tokens. He mentioned that the access tokens are the equivalent of a username and password combination but are used by applications to authenticate against other applications.

“If you’ve ever used a Facebook login button on a website, now would be an excellent for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook,” he added.

Flawed Design Leads to Security Vulnerability

“Getting software security right is difficult, but not impossible.  This breach emphasizes just how important software security is, and how subtle solid security engineering can be,” said Dr Gary McGraw, Vice President of Security Technology, Synopsys (Software Integrity Group).

He noted that when a feature like “View As” can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability. McGraw further commented that design flaws like this lurk in the mind-boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built”

Safety Through Greater Caution

In a note to TechBarrista, Sophos Principal Research Scientist, Chester Wisniewski commented that in something as big and complicated as Facebook, there are bound to be bugs. He added that while the theft of these authorization tokens is certainly a problem, the risk to user privacy isn’t really as great as other notable data breaches heard of or even Cambridge Analytica.

2017 Data Breach
2017 Data Breach Level Index (Source: Gelmato)

“As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with,” said Wisniewski.

Major Data Breaches Over 2017-2018

Data breaches are not unique to specific countries and as long as companies continue to host connected data, they will no doubt be more. Over the past two years, major data breaches have occurred to companies around the globe, including Russia, the US, the United Kingdom, Singapore and Malaysia.

Records lost this year alone include 150 million records at Under Armour, 1.5 million at SingHealth, 92 million at MyHeritage, 26 million at Ticketfly and 880,000 at Orbitz.