Facebook said on Tuesday that it’s found no evidence that attackers accessed third-party apps in the breach it announced last week.
Nevertheless, it’s building a tool to allow developers to manually identify which of their apps’ users may have been affected, so they can log them out.
In that breach, attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.
View As lets people see what their own profile looks like to someone else. The vulnerability allowed the attackers to steal Facebook access tokens that they could then use to take over people’s accounts.
Facebook fixed the vulnerability and reset the access tokens for a total of 90 million accounts: 50 million that had access tokens stolen and another 40 million that were subject to a View As look-up in the last year. Those users were subsequently prompted to log back in to Facebook, as well as back into any apps that use Facebook Login.
In Tuesday’s post, Facebook VP of Product Management Guy Rosen said that people have wondered what, exactly, the attack means for the apps that use Facebook Login. At this point, the company has analyzed logs for all third-party apps installed or logged in during the attack, which was discovered on Tuesday, 25 September. So far, there’s no sign that the attackers got at the apps using Facebook Login.
Facebook says that developers using official Facebook software development kits (SDKs) and those who regularly check the validity of their users’ access tokens are in the clear: they were automatically protected when Facebook reset access tokens. The purpose of the new tool is just to stay on the safe side and protect the non-SDK, non-validity-checking developers, Rosen says:
Out of an abundance of caution, as some developers may not use our SDKs – or regularly check whether Facebook access tokens are valid – we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.
It’s security SNAFUs like this that lead Facebook to recommend that developers stick to the official Facebook SDKs, Rosen said. These are its best practices for login security:
- Use the official Facebook SDKs for Android, iOS and JavaScript: they automatically check the validity of access tokens on a daily basis and force a fresh login when reset by Facebook, protecting the security of users’ accounts.
- Use the Graph API to keep information updated regularly and always log users out of apps where error codes show that any Facebook session is invalid.
Is my Facebook account on the Dark Web?
Understandably, in the aftermath of this big breach, minds turn to the auction block: if attackers got access tokens that could have let them take over accounts, does that make it possible that your account is being sold off by criminals on the Dark Web?
When Facebook first learned about the attack, it said that the vulnerability behind it came out of a change the platform made to its video uploading feature in July 2017 that affected View As, incorrectly generating an access token that had the permissions of the Facebook mobile app – not for you, but for whoever you might have looked up.
The vulnerability was there for a year: a year in which the attackers needed to find it and exploit it to get an access token, then pivot from one account to others to steal more tokens.
As of Wednesday, Facebook hadn’t yet figured out if the attackers accessed information in people’s accounts or abused the accounts in other ways. So yes, maybe your account is being sold on the Dark Web.
Maybe it’s there because of this vulnerability, or then again, maybe not. It’s not as if this vulnerability spontaneously created the market for hijacked accounts, be they for Facebook, PayPal, Netflix, Amazon, eBay, Twitter, Uber or Gmail, among scores of others.
The market has been around for quite some time. Back in 2016, PayPal accounts were fetching anywhere from $1 to $80, Gmail or Yahoo accounts would set you back between 70 cents and $1.20, and attention, Walmart shoppers, your accounts were going for $2.50.
So yes, there are no doubt Facebook accounts for sale on the Dark Web right now. But they could have been there for weeks, or months, access-token SNAFU or no access-token SNAFU.
Your accounts are worth cold, hard cash. Account monitoring company LogDog gives a few examples of why:
Any account that can generate fraudsters money, or even help them receive a service for free, has a demand in the cyber underground.
…Uber, for example, are sought after by fraudsters simply because they provide “free taxi rides”. Demand for adult entertainment accounts is high due to interest for self-consumption.
…eBay and Amazon are sought after… to steal money or credits from these accounts… Compromised dating site accounts are also often exploited for romance scams.
And then again, there are creeps who hijack victims’ Facebook and email accounts for the purpose or sextortion. There are hijackers taking over high-profile Instagram accounts and holding them for ransom.
Until Facebook finds evidence that this breach created a bonanza of access to valid accounts that didn’t already exist, there’s no reason to believe that it did. The sun comes up every morning, but nobody’s shaking a fist at it for causing their purloined accounts to show up on the Dark Web.