It’s been a bad week for Facebook and its two billion-plus users.
Firstly it was discovered by computer scientists at Northeastern University that Facebook was allowing advertisers to target advertising at individuals by exploiting phone numbers only given by the users for the purposes of two-factor authentication (2FA).
In short, even if you had set your Facebook privacy controls to their most restrictive settings – advertisers could still target you because you had (quite sensibly) enabled two-factor authentication to protect your account from hackers.
Similarly, according to the research, it seems there are pitfalls if users provide their phone number to receive alerts about unrecognised logins on their Facebook account:
“Facebook allows users to add email addresses or phone numbers to receive alerts about logins from unrecognized devices. We added a phone number and an email address to an author’s account to receive login alerts, and found that both the email address and phone number became targetable after 17 days.”
It’s one thing to use information that users choose to include in their Facebook profile for targeted advertising. It’s quite another to take advantage of information that was only shared with the site to boost security.
Remember, unrecognised login alerts and 2FA are features that users should be actively encouraged to enable, to better protect their Facebook accounts. When Facebook is revealed to be helping advertisers exploit such private, personal information, it only encourages users not to enable these protections in the first place.
And that’s not all… The researchers confirmed that Facebook was using “shadow contact information”, collected from other Facebook users’ address books, and associating them with your account. Facebook hides the fact that it has connected, for instance, alternative email addresses and phone numbers to your profile but uses it to assist targeted advertising.
As Kashmir Hill of Gizmodo explains:
…if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.
All of this amounts to what the EFF describes as “deceptive and invasive” practices by Facebook, which ignore “reasonable security and privacy expectations”.
Such behaviour by Facebook inevitably erodes users’ trust in the service.
And then the world found out about the security breach.
On Friday 28th September, Facebook went public with details of a “security issue” that it had discovered earlier in the week.
Approximately 50 million accounts were left exposed to attackers who were able to exploit a vulnerability in the site’s “View As” feature (actually a combination of three bugs). This security hole allowed hackers to steal users’ access tokens:
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The bad news is that these Facebook access tokens could not only be used to access Facebook accounts, but also other third-party apps that use Facebook for login.
According to Facebook, the vulnerability in its code was introduced in July 2017, and on September 16th 2018 it saw a massive spike in traffic on its servers as hackers exploited the flaw and harvested access tokens for other users’ accounts. It took until September 25th for Facebook to determine that there had been a security breach.
Facebook says it has temporarily disabled its “View As” feature until it has completed a “thorough security review”.
You can learn more about both of these issues in this edition of the “Smashing Security” podcast:
What a week. It’s enough to make you reconsider your relationship with Facebook, isn’t it?
I quit Facebook earlier this year. If you’re finding it hard to imagine doing the same, why not listen to this “Smashing Security” podcast we put together describing the process of quitting Facebook:
If it helps, just consider your Facebook departure as “temporary” while you complete a “thorough security review.” You may find you don’t miss it at all.