What is the Issue?
Many applications typically require an email verification step to authenticate identity before logging the user in. If a person signs up for any app using Facebook Login, an account is created for them, and the authentication step is taken care of by Facebook by using an access token, and the user does not have to enter their username and password every time they access the app.
On September 25, Facebook’s engineering team discovered a security issue that allowed users to get access to other users’ access tokens. Once you have access to someone’s access token, it allows you to take control of their account.
According to the September 28 update, Facebook has fixed the vulnerability and invalidated data access for third-party apps for the affected individuals. They are still unsure whether any of the compromised accounts were misused or if any personal and sensitive information was accessed using them.
Why is this noteworthy?
This is particularly noteworthy for organizations that allow users to log-in to their web application through their Facebook account. More than 90 million users use Facebook, and many of these users have it set-up as their login authentication for multiple professional, personal and financial apps that they use daily. These apps contain sensitive information and if the authentication method is compromised, it could potentially lead to a data breach and leakage of sensitive information.
50 million accounts were affected by this security flaw, and Facebook has reset the access tokens of all these accounts for security purposes. Another 40 million accounts will also have their access tokens reset as a precaution. All affected Facebook users will be logged out of their Facebook accounts as well as all apps that use Facebook login as a method of authentication. They will need to re-enter their password when they access Facebook or the other apps again.
What is the exposure or risk?
Many apps have stored data like credit card information, SSNs, addresses and birth dates, etc. The main risk would be exposure or leakage of sensitive data – personal, professional or financial.
If a bad actor has gained access to access tokens of Facebook users, he can use it to take over their accounts and gain access to private and sensitive information. The extent of misuse of the token depends on the permissions set by the owner.
What are the recommendations?
· Logging out of Facebook from all places with a one-click option by going to Settings à Security and Login.
· Resetting the password to your account and setting up two-factor authentication for the same.
· SKOUT recommends that organizations disable Facebook and other Social Media authentication methods for their web applications.
· SKOUT also recommends that users refrain from using Facebook or any other Social Media accounts for authentication to third-party apps of personal use which use sensitive data.
· In cases where users are permitted by their organization to authenticate to their web app using Facebook, SKOUT recommends that customers review the web application syslogs for unusual activity or any logins from unusual IP addresses.
If you have any questions, please contact our Security Operations Center.