[ad_1]
Facebook privacy issues The social network revealed Friday that an unprecedented security problem, discovered on September 25, had impacted nearly 50 million user accounts. Unlike the Cambridge Analytica scandal, in which a third-party company had mistakenly accessed data that a legitimate quiz application had siphoned off, this vulnerability allowed attackers to take direct control of user accounts.
The bugs that allowed the attack have since been fixed, according to Facebook. The company says attackers could see everything in the victim's profile, even though it's still unclear whether this includes private messages or if any of these data has been misused. As part of this fix, Facebook has automatically disconnected 90 million Facebook users from their accounts on Friday morning, representing both the 50 million Facebook users and 40 million more. Later on Friday, Facebook also confirmed that third party sites to which users are connected with their Facebook accounts could also be affected.
"We have been able to fix the vulnerability and secure the accounts, but this is a problem that occurred initially."
Mark Zuckerberg, Facebook
Facebook says that affected users will see a message at the top of their news feed on the problem when they reconnect to the social network. "Your privacy and your security are important to us," reads in the update. "We want to inform you of the recent actions we have taken to secure your account", followed by a prompt to click and learn more details. If you were not logged out but want to take additional security measures, you can check this page to find out where your account is currently logged in and disconnect them.
Facebook has not yet identified hackers or their origin. "We may never know it," said Guy Rosen, Facebook's vice president of product, during a call to reporters on Friday. The company is currently working with the Federal Bureau of Investigations (FBI) to identify the perpetrators. A Taiwanese hacker named Chang Chi-yuan had promised this week to broadcast live the removal of Mark Zuckerberg's Facebook account, but Rosen said Facebook did not "know this person was related to this attack."
"If the attacker exploited custom and isolated vulnerabilities and the attack was highly targeted, there may be no trace or intelligence that allows investigators to link the points," says Lukasz Olejnik, research scientist. security and confidentiality and W3C member. Group of technical architecture.
On the same call, Facebook CEO Mark Zuckerberg reiterated his earlier statements about security as an "arms race".
"It's a really serious safety issue and we take it very seriously," he said. "I'm glad we found that, and that we were able to fix the vulnerability and secure the accounts, but it's clear that that's what happened in the first place."
The social network claims that its investigation into the violation began on September 16, when there was an unusual increase in the number of users accessing Facebook. On September 25, the company's engineering team discovered that hackers had exploited a series of Facebook feature-related bugs that allowed users to see what their own profile looked like. The "View as" feature is designed to allow users to see how their privacy settings are taken into account by another person.
The first bug caused the Facebook video download tool to be displayed by mistake on the "View as" page. The second allowed the downloader to generate an access token (which allows you to stay connected to your Facebook account on a device, without having to log in at each visit), with the same login permissions as the # Mobile application Facebook. Finally, when the video downloader appeared in "View As" mode, it triggered an access code for anyone looking for the hacker.
"It's a complex interplay of several bugs," said Rosen, adding that hackers probably needed some level of sophistication.
This also explains the disconnections on Friday morning; They were used to reset the access tokens of those directly involved and additional accounts "accessed through View As" over the past year, Rosen said. Facebook has temporarily disabled "See like" because it continues to investigate the problem.
"It's easy to say that security testing should have been successful, but these types of vulnerabilities can be extremely difficult to detect or detect because they rely on the dynamic testing of the site itself during operation," says David. Kennedy, CEO of the TrustedSec cybersecurity company.
The vulnerability could not have come at a worse time for Facebook, whose leaders are still shocked by a series of scandals that took place following the 2016 US presidential election. A massive campaign of misinformation in Russia allowed to go unnoticed on the platform, followed by revelations that third-party companies such as Cambridge Analytica had collected data from users without their knowledge.
"There is simply no trace or adequate intelligence allowing investigators to connect the dots."
Security Researcher Lukasz Olejnik
The social network is already facing numerous federal investigations into its privacy and data-sharing practices, including an investigation by the Federal Trade Commission and another conducted by the Securities and Exchange Commission. Both have to do with his statements around Cambridge Analytica.
It also faces the specter of more aggressive regulation of Congress, in the wake of a series of sometimes controversial hearings on data privacy. After Facebook's announcement on Friday, Senator Mark Warner (D-Virginia), vice chairman of the Senate's intelligence committee, called for a "full investigation" of the violation. "Today 's disclosure reminds us of the dangers that a few companies like Facebook or the Equifax Credit Reporting Agency are able to see." accumulate as much personal data about Americans without adequate security measures, "Warner said in a statement. "This is another sobering indicator that Congress needs to take steps to protect the privacy and security of social media users."
Facebook could also be the subject of unprecedented control in Europe, where the new General Data Protection Regulation, or RGPD, requires companies to disclose a violation to a European agency within 72 hours. In case of high risk for users, the regulation also requires that they be notified directly. Facebook claims to have informed the Irish Data Protection Commission of this problem.
This is the second security vulnerability revealed by Facebook in recent months. In June, the company announced that it had discovered a bug that allowed anyone to publicly view 14 million messages for days. This is the first time in Facebook's history that entire user accounts may have been compromised by external hackers. Its response to this vulnerability, as well as the speed and scope of important information to come, will likely be of considerable importance. Once again, all eyes are on Mark Zuckerberg.
Additional report by Lily Hay Newman.
Biggest cable stories
Source link