A recent court filing indicates that Facebook knew about the bug in its View As feature that led to the 2018 data breach – a breach that would turn out to affect nearly 29 million accounts – and that it protected its employees from repercussions of that bug, but that it didn’t bother to warn users.
There was a class action lawsuit – Carla Echavarria and Derrick Walker v. Facebook, Inc. – filed within hours of Facebook’s revelations last September that attackers had exploited a vulnerability in its “View As” feature to steal access tokens: the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.
Reuters reports that the lawsuit in question actually combined several legal actions, presumably including the one filed on the same day as Facebook disclosed the breach.
The breach
As Naked Security’s Paul Ducklin explained at the time, the View As feature lets you preview your profile as other people would see it.
This is supposed to be a security feature that helps you check whether you’re oversharing information you meant to keep private. But crooks figured out to how to exploit a bug (actually, a combination of three different bugs) so that when they logged in as user X and did View As user Y, they essentially became user Y. From Paul:
If user Y was logged into Facebook at the time, even if they weren’t actually active on the site, the crooks could recover the Facebook access token for user Y, potentially giving them access to lots of data about that user.
That’s exactly what attackers did: they took the profile details belonging to some 14 million users, including birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins.
According to Reuters, another 15 million users had only their name and contact details exposed. The attackers could also see posts and lists of friends and groups of about 400,000 users.
Facebook knew about it and “failed to fix it for years”
On Thursday, in a heavily redacted section of the filing in the US District Court for Northern California, the plaintiffs said that Facebook knew about, and failed to fix, the vulnerability for years.
What’s even worse: the plaintiffs allege that Facebook could and did protect its own employees from the fallout, leaving everybody else as sitting ducks.
Reuters quoted the filing:
Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge.
Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.
Facebook hadn’t responded to requests for comment as of Friday afternoon. It’s also given out scant details about the breach since initially disclosing the attack. All that it’s said is that the breach affected a “broad” spectrum of users. It hasn’t broken down the numbers by country.
The court wants those details: Judge William Alsup told Facebook in January that he was willing to allow “bone-crushing discovery” in the case to uncover how much user data was stolen. According to Law360, Alsup said that he’s sympathetic to users’ concerns and that’s worth “real money”, as opposed to “some cosmetic injunctive relief.”