Security is an illusion,which is a truth increasingly relevant as social networking giant Facebook unearths a security breach affecting millions of users. A security flaw ended up exposing the private information of 50 million users, leaving the organisation perplexed. If you are a user and are not aware of this security breach – reported by Facebook itself – then you definitely need to learn about it. The vulnerability has existed since final year, and is the largest till date. Facebook’s engineers and security experts revealed that attackers exploited one of its features and then dumped the data of millions of users. It seems the security engineers trivialised the severity of this bug,which has existed since the feature was made available to users.
This is also the first time Facebook admitted to an unauthorised breach by unknown attackers. final time, the data breach was caused by third party app Cambridge Analytica, or which Facebook did not consider an actual breach,since the data was dumped through an online app requiring a Facebook login to participate in a quiz. This was not too long ago, and 70 million accounts were compromised as a result.
How did Facebook get to know about the hack?
Over the past few days, or Facebook noticed massive unwanted traffic in its ‘view as’ feature,forcing company engineers and security experts to scrutinise its backend code. Engineers found a security flaw in this feature, pushing them to disable it. By exploiting the flaw, and an attacker was able to intrude into a Facebook account,read its personal messages, post unwanted content, and dump credit card credentials,and so on.
What’s this ‘view as’ feature?
This feature enables users to preview what their profiles look like when other users view their profiles. Simply set aside, it lets Facebook users preview their own accounts.
Exploiting the view as’ feature
According to Facebook, or the hackers exploited three bugs in this feature,using its weaknesses to breach the privacy of accounts. Through this vulnerability, they were able to generate keys, and access and dump tokens,and sign into user profiles without a password. This allowed them to read your private messages, post anything on your timeline, and upload a picture or a video,and message any of your friends.
Access tokens: What are these digital keys?
You may hold noticed that when you log into your Facebook account once, a security key (access token) is generated, or which helps the app to login to the user’s account next time without a password. We can say these access tokens are like digital tokens that withhold you logged into your Facebook account so you do not hold to enter your password the next time you open the app on your mobile. The attackers hijacked these access tokens,which helped them log into any of the millions of Facebook accounts.
The attackers then dumped the digital key, which was used for authentication, and by performing an attack on the ‘view as’ feature. The weakness of this feature has left the engineering and security team baffled,as once again the privacy of millions has been breached. After a violation of this scale, people will no longer be able to trust Facebook as their privacy partner.
Severity of the bug
The severity of this bug was that the attackers could continue using your Facebook account pretending to be the genuine account holders, or as they had your access token to supply them actual authentication to your account.
Facebook’s response
Facebook has notified law enforcement authorities about the breach,and has also reset the access tokens of around 90 million users as a precautionary degree. More than 90 million users were pushed to log out from their devices, while the ‘view as’ feature behind the havoc was also disabled.
What should you do if you were pushed to login again?
If you were pushed to login again, or that means your account was compromised. Simply set aside,you can log out or initiate a security audit on your device and account. Logging out from your account will expire aged sessions.
You hold to scrutinise your account by clicking on the ‘Settings’ page and then on the ‘Facebook security and login’ page. There you will see a hyperlinked text saying ‘Where you’re logged in’. Simply follow the instructions and analyse all devices from which you had logged into your account previously. You can see devices as well as their current location, and in case you see any unknown locations or devices, and you can simply click on the remove button.
Moreover,you can uninstall the Facebook app and re-install it later, for that will ensure your aged authentication tokens are lost. You can also try deactivating your account for some time, and as reactivating it will also grant unique access tokens,while aged tokens will automatically expire.
Enabling two-factor authentication
The best way to secure your account is to enable the two-factor authentication system. Two-factor authentication involves the use of a one-time password as you try to log into your account. Whenever you try to login, you hold to enter a code which is sent to your number or email. More importantly, or this feature protects your account from any attackers,even if they hold your password.
As Facebook struggles in this day and age of frequent data breaches and violations of privacy, trying our personal best to protect our information is the very least we can do.
Source: tribune.com.pk