Reason.com - Free Minds and Free Markets
Reason logo Reason logo
  • Latest
  • Magazine
    • Current Issue
    • Archives
    • Subscribe
    • Crossword
  • Video
  • Podcasts
    • All Shows
    • The Reason Roundtable
    • The Reason Interview With Nick Gillespie
    • The Soho Forum Debates
    • Just Asking Questions
    • The Best of Reason Magazine
    • Why We Can't Have Nice Things
  • Volokh
  • Newsletters
  • Donate
    • Donate Online
    • Donate Crypto
    • Ways To Give To Reason Foundation
    • Torchbearer Society
    • Planned Giving
  • Subscribe
    • Reason Plus Subscription
    • Print Subscription
    • Gift Subscriptions
    • Subscriber Support

Login Form

Create new account
Forgot password

Cybersecurity

Facebook Hack Another Warning Sign Against Online Centralization

The bigger the company, the bigger the target.

Andrea O'Sullivan | 10.9.2018 8:30 AM

Share on FacebookShare on XShare on RedditShare by emailPrint friendly versionCopy page URL
Media Contact & Reprint Requests
Mark Zuckerberg
LEWIS JOLY/VIVA TECHNOLOG/SIPA/Newscom

Facebook has had a rough year. The social media giant has been castigated for everything from sneaky data policies to "shadow profiles," political bias, the election of Donald Trump, and even a genocide in Myanmar. Some of these criticisms hold more water than others. But last month, Mark Zuckerberg and company bungled up their business in a pretty straightforward way: They suffered their worst hack yet.

Some 50 million accounts are known to have been affected by the vulnerability, which had reportedly existed since July of 2017 before being discovered on Sept. 25 and publicized three days later. Another 40 million accounts were thought to possibly be at risk, so the company made a firm decision to lock all 90 million users from their profiles while they made the necessary fixes.

You may have noticed a special message from Facebook about privacy and security the week that this happened: This means that your account could have been affected. The mechanism involved what's called Facebook Connect, which is a "single sign-on" (SSO) that allows you to use your Facebook account as a way to access other websites.

The attackers apparently combined three separate zero day—or unknown—vulnerabilities to gain access to user accounts.

Here's how it worked: Facebook users have the ability to see what their profile looks like to other users—like a friend, or a friend of a friend, or just a random stranger. This is called the "View As" feature, and it was ironically first created to give users more of a feeling that they were in control of their data.

Hackers first exploited a bug that made the "View As" feature appear as a video upload tool (like those weird "Year in Review" videos that the platform periodically auto-generates). Then they manipulated the uploader to generate an access token, which is what Facebook Connect uses to allow you to access other websites. Finally, the hackers were able to pivot and gather access tokens for other users connected to that account (who you would be "viewing as").

If the hack sounds complicated, it's because it is. (And some hoaxsters have taken to sowing more confusion in its wake by tricking people into thinking their accounts have been compromised.) Information security experts surmise that the attackers must have been a very sophisticated actor to pull something like this off. Perhaps it was a nation-backed actor, or some other well-heeled mercenary group. Maybe it was just an exceptionally talented 400-pound bedbound hacker. Whatever the case, attackers this sophisticated are usually equally good at covering their tracks. As Facebook vice president Guy Rosen told reporters, they may "never know" who is responsible.

This was obviously huge news, not least because so many people have come to rely on Facebook to dispel boredom and enjoy digital camaraderie throughout their days. Facebook is a huge and well-capitalized company. Users share so much data with Facebook in part because they expect that it will prioritize security. And Facebook indeed employs scores of very talented engineers.

But the centrality of Facebook is precisely why hacks like these such an omnipresent and dangerous threat.

The bigger the company, the bigger the target. The greater the data infrastructure, the more potential vulnerabilities there are to proactively defend against. Paradoxically, the great trust the people place in Facebook to be a secure platform to share their lives is precisely what makes it such a tantalizing target. Furthermore, larger platforms have greater potential for security vulnerabilities by sheer virtue of their size and complexity. Facebook and companies like it (The Wall Street Journal just reported that Google+ also suffered a recent breach) are placed in the impossible position of providing divine security for a population that is conditioned to not worry about these things too much.

This becomes so much worse when you consider the spillover effects of this case. While the final carnage is being assessed, it is possible that the contagion will spread to websites that used Facebook as a SSO option.

Think about all of the websites that you have connected to your Facebook account. If you were affected by the account token vulnerability, then the other websites that use Facebook Connect may also be vulnerable, as the New York Times reported.

This is a concerning prospect indeed, and it's a good idea for affected Facebook users to keep an eye on communications from connected apps and websites to see whether or not the rot has spread.

Maybe Facebook could have done more to protect against this particular hack. Or maybe not. Security professionals are not gods, and the hacking risks will always outstrip firms' resources to protect against them.

Finger-wagging and legislation can only do so much. Really, we should think more about the centralized infrastructure of our Internet experience that makes breaches like these an omnipresent and high-stakes threat.

There is no technical reason that many of the most popular user-facing web services—platforms like Facebook and Twitter—need to necessarily be run as a single, central, for-profit entity. They can be arranged like a protocol more like email, where there is a diverse array of service providers tailored to one's own preferences from which to choose. This doesn't mean that hacking risks would go away. But it would at least decentralize the threat points, and therefore lower the risks to the overall infrastructure.

The Facebook hack yet again illustrates an important security maxim of our digital age: Trusted third parties are security holes. To the extent that we can limit our reliance on mega-centralized platforms like Facebook, the better the resilience of our overall security posture will be.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

This field is for validation purposes and should be left unchanged.

NEXT: Two Students Hooked Up. It Was Clearly Consensual. He Still Spent $12,000 Defending Himself.

Andrea O'Sullivan is the Director of the Center for Technology and Innovation at the James Madison Institute in Tallahassee, Fla. Her work focuses on emerging technologies, cryptocurrency, surveillance, and the open internet.

CybersecurityFacebookSocial MediaInternetFree SpeechTechnology
Share on FacebookShare on XShare on RedditShare by emailPrint friendly versionCopy page URL
Media Contact & Reprint Requests

Show Comments (19)

Latest

The EPA Is a Prime Candidate for Reform by the Trump Administration

J.D. Tuccille | 5.9.2025 7:00 AM

Review: A Doomsday Murder Mystery Set in an Underground Bunker

Jeff Luse | From the June 2025 issue

Review: A Superhero Struggle About the Ethics of Violence

Jack Nicastro | From the June 2025 issue

Brickbat: Cooking the Books

Charles Oliver | 5.9.2025 4:00 AM

The App Store Freedom Act Compromises User Privacy To Punish Big Tech

Jack Nicastro | 5.8.2025 4:57 PM

Recommended

  • About
  • Browse Topics
  • Events
  • Staff
  • Jobs
  • Donate
  • Advertise
  • Subscribe
  • Contact
  • Media
  • Shop
  • Amazon
Reason Facebook@reason on XReason InstagramReason TikTokReason YoutubeApple PodcastsReason on FlipboardReason RSS

© 2024 Reason Foundation | Accessibility | Privacy Policy | Terms Of Use

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

r

Do you care about free minds and free markets? Sign up to get the biggest stories from Reason in your inbox every afternoon.

This field is for validation purposes and should be left unchanged.

This modal will close in 10

Reason Plus

Special Offer!

  • Full digital edition access
  • No ads
  • Commenting privileges

Just $25 per year

Join Today!