Yesterday, at least 90,000,000 Facebook users were forced to log back into the service without any explanation; later, the company revealed that at least 50,000,000 of them had been hacked, but wouldn't say how.
In a detailed anatomy of the hack based on an explanation provided by Facebook vice president of product management Guy Rosen, Motherboard's Lorenzo Franceschi-Bicchierai and Jason Koebler provide insight into the mechanics of the breach.
The vulnerability was in Facebook's somewhat esoteric "View as" feature. This feature allows Facebook users to assure themselves that the privacy settings they've chosen for their posts are working as intended. If you make a post that you want your parents to be able to see, but not your boss, "View as" will let you preview the post as if you were your boss, and then as if you were your parents, and confirm that you've got the confusing welter of Facebook privacy options right.
The attackers were able to exploit a bug in this feature to capture "access tokens" when they used "View as." By viewing a post as your boss, they could trick the system into generating an "access token" that they could use to actually login to Facebook as your boss. These access tokens are used to spare users the inconvenience of being prompted to log in to Facebook every time an app or window tries to connect them to their Facebook data.
Logging out of Facebook cancels outstanding access tokens, which is why Facebook logged 90,000,000 users out yesterday.
Rosen did not discuss the identity of the attackers, nor which data they were able to steal from the affected Facebook users.
The first bug, Rosen explained, caused a video uploader to show up on View As pages "on certain kinds of posts encouraging people to post happy birthday greetings." Normally, the video uploader should not have showed up. The second bug caused this video uploader to generate an access token that had permission to log into the Facebook mobile app, which is not how this feature "is intended to be used," according to Rosen.
The final bug, Rosen explained, was that when the video uploader showed up as part of the View As feature, it generated a new access token not for the user, but for the person who they were pretending to be—essentially giving the person using the View As feature the keys to access the account of the person they were simulating. In the example we gave above, this would not only have allowed you to look at John's profile using the View As John feature, but it also would have generated an access token allowing you to login to and take over John's account.
"It was the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers," Rosen said. "Those attackers, in order to run the attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot that access token to other accounts and then look up other users in order to get further access tokens."
How 50 Million Facebook Users Were Hacked [Lorenzo Franceschi-Bicchierai and Jason Koebler/Motherboard]