In what is one of the biggest hacks in the history of Facebook, almost 50 million accounts got compromised in an attack that also gave hackers access to all linked services. Though Facebook eventually patched the vulnerability, the fact that millions of people had their private information accessed by a third party has raised some serious questions about the safety of social media.
When employees at Facebook first detected the issue, they initially thought that only the accounts themselves were breached. But later on, Facebook discovered that the hack presented a bigger problem — several linked accounts were also compromised. So, if a person had accessed services like Tinder, Instagram, Spotify, or Airbnb by logging in through their Facebook account, then the hackers would have gotten into those accounts as well.
Hackers did this by tricking Facebook to issue them access tokens, which is a sort of digital key. “The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login,” Tech Spot quotes Guy Rosen, Facebook’s vice president of product.
Once Facebook detected unusual activity, they revoked the access tokens and blocked out hackers from exploiting the vulnerability. However, the hack had already affected close to 50 million accounts by then. Even the CEO, Mark Zuckerberg, said his account was affected.
The people behind the breach have not been apprehended and an investigation is ongoing to find the culprits. The incident exposes a grim truth of how insecure and unsafe information is on the Internet. Some U.S. Senators were of the opinion that stricter measures need to be implemented by the government to regulate social media.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures. This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over,” the Daily Mail quotes Virginia Senator Mark Warner.
The problem of Single Sign-On
Facebook’s Single Sign-On feature, which allows users to access websites like Tinder, Instagram, etc. by logging in through their Facebook account, was analyzed by a research team at the University of Illinois in Chicago. The team found that the entire system was plagued by vulnerabilities that any hacker could exploit. However, what shocked them was the fact that users were not required to have logged into third-party websites with their Facebook account to get exposed.
“If you have a Facebook account, even if you’ve never used it to log into any other website… an attacker could still use the Facebook token and get access to a user’s account on third-party websites,” Jason Polakis, author of the study, said in an interview with Wired.
By creating a wide network of interlinked accounts, the Single Sign-On has made the web more vulnerable. A hacker simply has to breach a single account to get access to the other accounts, raising a serious possibility that some hacker someday might cause a catastrophic worldwide security breach that encompasses all major websites with linked accounts. Websites that currently use Facebook’s Single Sign-On feature will have to rethink their user access strategy.