How Facebook was hacked and why it's a disaster for Internet security



[ad_1]
<div _ngcontent-c15 = "" innerhtml = "

Changes of mutual interest S P

Of mutual interest S P ChangesAssociated press

Facebook launched a bomb on Friday revealing that an unknown hacker had crossed the site, compromising the accounts of 50 million users. The company's security team discovered that three bugs had been used in the attacks, claiming that they were used together to successfully penetrate Facebook accounts.

Forbes Thomas Shadwell, a professional researcher in the field of web applications and cyber security, has made a likely assumption about how the mystery hacker or hacker has led what appears to be the biggest attack of all time.

The ultimate goal of the author was to steal so-called "OAuth bearer tokens". Essentially, these tokens prove that the Facebook user is the legitimate owner of an account and indicates what he has access to. As Shadwell describes them, "OAuth tokens are like car keys. If you hold them, you can use them, there is no discrimination against the cardholder. "And in the context of this attack, these keys have not unlocked the Facebook accounts, but site to which the concerned users have accessed with a Facebook connection. This could include Instagram or news sites.

To obtain these keys, hackers abused a Facebook feature called "View As". It allows any user to see what another can access on his profile. For example, if you have prevented your father from viewing your photos, you can verify that he is working properly by embodying your father and viewing your profile.

"When Facebook created the View As feature, it seemed like it was changing the way Facebook would work if it were seen by that other user," Shadwell said. "Which means of course that in case of an error, they could end up sending the credentials of the spoofed user to the user of the" View as "feature.

It's where things get a little weirder. If a user, via View As, imitated a friend who had a friend who had a birthday, the function would also display a box inviting them to post a "happy birthday" video. Thanks to a Facebook error in July 2017, the video provided the user with one of these valuable chips, said Shadwell. Specifically, the video player generated and sent the user a token, one that would link them to the Facebook mobile app as if they were the person they were using via View As. From there, the user (in this case a malicious hacker) would have full access to this other person's account.

Attackers would not have had a hard time transforming the basic premise of this hacking into something massive, affecting millions of accounts. "In terms of scale, well, there is not really any interaction between target and automation," Shadwell adds.

Facebook did not say how many accounts were hacked, where the victims were or who were behind the attack. According to Shadwell, it would have taken a lot of talent to complete it. "It's very impressive technically to succeed."

An internet disaster

What is most disturbing, however, is what hacking has proven: a company with the resources and power of Facebook can be stolen with keys to access millions of accounts on the Web. Since the keys allowed the hacker to acquire an account using a Facebook connection, the actual number of people affected is probably well over 50 million. A lot of people trust that Facebook would be able to keep their login information secure, as they do with Google and other technology providers. Should we also trust Facebook rivals with the online security of people? The violation this week may suggest that no.

In his Annus horribilisFacebook has suffered an attack that not only gives an extra reason to leave the social network for those who plan to leave the social network, but irrevocably tarnishes trust between users and the companies they depend on to protect the privacy of their lives. line.

As an expert in cryptography put it on Twitter, it was a real disaster on the internet.

">

Of mutual interest S P Changes

Changes of mutual interest S PAssociated press

Facebook launched a bomb on Friday revealing that an unknown hacker had crossed the site, compromising the accounts of 50 million users. The company's security team discovered that three bugs had been used in the attacks, claiming that they were used together to successfully penetrate Facebook accounts.

Forbes Thomas Shadwell, a professional researcher in the field of web applications and cyber security, has made a likely assumption about how the mystery hacker or hacker has led what appears to be the biggest attack of all time.

The ultimate goal of the author was to steal so-called "OAuth bearer tokens". Essentially, these tokens prove that the Facebook user is the legitimate owner of an account and indicates what he has access to. As Shadwell describes them, "OAuth tokens are like car keys. If you hold them, you can use them, there is no discrimination with regard to the holder. "This site was accessed by the users concerned with a Facebook connection. This could include Instagram or news sites.

To obtain these keys, hackers abused a Facebook feature called "View As". It allows any user to see what another can access on his profile. For example, if you have prevented your father from viewing your photos, you can verify that he is working properly by embodying your father and viewing your profile.

"When Facebook created the View As feature, it seemed like it was changing the way Facebook would work if it were seen by that other user," Shadwell said. "Which means of course that in case of an error, they could end up sending the credentials of the spoofed user to the user of the" View as "feature.

It's where things get a little weirder. If a user, via View As, imitated a friend who had a friend who had a birthday, the function would also display a box inviting them to post a "happy birthday" video. Thanks to a Facebook error in July 2017, the video provided the user with one of these valuable chips, said Shadwell. Specifically, the video player generated and sent the user a token, one that would link them to the Facebook mobile app as if they were the person they were using via View As. From there, the user (in this case a malicious hacker) would have full access to this other person's account.

Attackers would not have had a hard time transforming the basic premise of this hacking into something massive, affecting millions of accounts. "In terms of scale, well, there is not really any interaction between target and automation," Shadwell adds.

Facebook did not say how many accounts were hacked, where the victims were or who were behind the attack. According to Shadwell, it would have taken a lot of talent to complete it. "It's very impressive technically to succeed."

An internet disaster

What is most disturbing, however, is what hacking has proven: a company with the resources and power of Facebook can be stolen with keys to access millions of accounts on the Web. Since the keys allowed the hacker to acquire an account using a Facebook connection, the actual number of people affected is probably well over 50 million. A lot of people trust that Facebook would be able to keep their login information secure, as they do with Google and other technology providers. Should we also trust Facebook rivals with the online security of people? The violation this week may suggest that no.

In his Annus horribilisFacebook has suffered an attack that not only gives an extra reason to leave the social network for those who plan to leave the social network, but irrevocably tarnishes trust between users and the companies they depend on to protect the privacy of their lives. line.

As an expert in cryptography put it on Twitter, it was a real disaster on the internet.

[ad_2]
Source link