Reason.com

Free Minds & Free Markets

Facebook Hack Another Warning Sign Against Online Centralization

The bigger the company, the bigger the target.

Mark ZuckerbergLEWIS JOLY/VIVA TECHNOLOG/SIPA/NewscomFacebook has had a rough year. The social media giant has been castigated for everything from sneaky data policies to "shadow profiles," political bias, the election of Donald Trump, and even a genocide in Myanmar. Some of these criticisms hold more water than others. But last month, Mark Zuckerberg and company bungled up their business in a pretty straightforward way: They suffered their worst hack yet.

Some 50 million accounts are known to have been affected by the vulnerability, which had reportedly existed since July of 2017 before being discovered on Sept. 25 and publicized three days later. Another 40 million accounts were thought to possibly be at risk, so the company made a firm decision to lock all 90 million users from their profiles while they made the necessary fixes.

You may have noticed a special message from Facebook about privacy and security the week that this happened: This means that your account could have been affected. The mechanism involved what's called Facebook Connect, which is a "single sign-on" (SSO) that allows you to use your Facebook account as a way to access other websites.

The attackers apparently combined three separate zero day—or unknown—vulnerabilities to gain access to user accounts.

Here's how it worked: Facebook users have the ability to see what their profile looks like to other users—like a friend, or a friend of a friend, or just a random stranger. This is called the "View As" feature, and it was ironically first created to give users more of a feeling that they were in control of their data.

Hackers first exploited a bug that made the "View As" feature appear as a video upload tool (like those weird "Year in Review" videos that the platform periodically auto-generates). Then they manipulated the uploader to generate an access token, which is what Facebook Connect uses to allow you to access other websites. Finally, the hackers were able to pivot and gather access tokens for other users connected to that account (who you would be "viewing as").

If the hack sounds complicated, it's because it is. (And some hoaxsters have taken to sowing more confusion in its wake by tricking people into thinking their accounts have been compromised.) Information security experts surmise that the attackers must have been a very sophisticated actor to pull something like this off. Perhaps it was a nation-backed actor, or some other well-heeled mercenary group. Maybe it was just an exceptionally talented 400-pound bedbound hacker. Whatever the case, attackers this sophisticated are usually equally good at covering their tracks. As Facebook vice president Guy Rosen told reporters, they may "never know" who is responsible.

This was obviously huge news, not least because so many people have come to rely on Facebook to dispel boredom and enjoy digital camaraderie throughout their days. Facebook is a huge and well-capitalized company. Users share so much data with Facebook in part because they expect that it will prioritize security. And Facebook indeed employs scores of very talented engineers.

But the centrality of Facebook is precisely why hacks like these such an omnipresent and dangerous threat.

The bigger the company, the bigger the target. The greater the data infrastructure, the more potential vulnerabilities there are to proactively defend against. Paradoxically, the great trust the people place in Facebook to be a secure platform to share their lives is precisely what makes it such a tantalizing target. Furthermore, larger platforms have greater potential for security vulnerabilities by sheer virtue of their size and complexity. Facebook and companies like it (The Wall Street Journal just reported that Google+ also suffered a recent breach) are placed in the impossible position of providing divine security for a population that is conditioned to not worry about these things too much.

This becomes so much worse when you consider the spillover effects of this case. While the final carnage is being assessed, it is possible that the contagion will spread to websites that used Facebook as a SSO option.

Think about all of the websites that you have connected to your Facebook account. If you were affected by the account token vulnerability, then the other websites that use Facebook Connect may also be vulnerable, as the New York Times reported.

This is a concerning prospect indeed, and it's a good idea for affected Facebook users to keep an eye on communications from connected apps and websites to see whether or not the rot has spread.

Maybe Facebook could have done more to protect against this particular hack. Or maybe not. Security professionals are not gods, and the hacking risks will always outstrip firms' resources to protect against them.

Finger-wagging and legislation can only do so much. Really, we should think more about the centralized infrastructure of our Internet experience that makes breaches like these an omnipresent and high-stakes threat.

There is no technical reason that many of the most popular user-facing web services—platforms like Facebook and Twitter—need to necessarily be run as a single, central, for-profit entity. They can be arranged like a protocol more like email, where there is a diverse array of service providers tailored to one's own preferences from which to choose. This doesn't mean that hacking risks would go away. But it would at least decentralize the threat points, and therefore lower the risks to the overall infrastructure.

The Facebook hack yet again illustrates an important security maxim of our digital age: Trusted third parties are security holes. To the extent that we can limit our reliance on mega-centralized platforms like Facebook, the better the resilience of our overall security posture will be.

Photo Credit: LEWIS JOLY/VIVA TECHNOLOG/SIPA/Newscom

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Longtobefree||

    Abandon social media.
    Return to your caves and contemplate the universe on your own.
    Vote ear;y and often.

  • Longtobefree||

    (optional; learn to type)

  • sarcasmic||

    Simple solution: don't use Facederp.

  • gaoxiaen||

    After being banned on Facebook twice, I now use Gab More often.

  • ||

    Yeah, I wouldn't say I noticed a "Special" message from Facebook.

  • Woody Chip Hurrrrr?||

    The bigger the bureaucracy, the bigger the target. The greater the data power structure, the more potential voters there are to proactively inflame.

    FTFY

  • Woody Chip Hurrrrr?||

    There is no technical reason that many of the most popular government services—platforms like airports and railroads—need to necessarily be run as a single, central, for-power entity.

    FTFY

  • Woody Chip Hurrrrr?||

    In other words, this is not a business problem; markets have ways of dealing with inept businesses. Government protects most of the bad businesses, indirectly through old-fashioned corruption or directly by turning them into public utilities. National security is a popular excuse, but it's usually blamed on "market failure".

  • loveconstitution1789||

    What is FaceFriend again?

  • Rockabilly||

    I love the Facebook where I can share my Spam recipes with friends in Bulgaria and Norway.

    Did you know that fried Spam is not only delicious but good for you?

  • Fancylad||

    Hack of Facebook; Picture related

  • Hank Phillips||

    Faecepuke will get no sympathy or data from me.

  • Deway||

    NCIE

  • Deway||

    After I wasted a lot of time, easier just to break into the Facebook account you want , maybe it's immoral but it does the job! , Just search for fpowerhax ●ⒸⓄⓂ on google it a freeToolto hax anyone's Facebook

  • TJJ2000||

    So, exactly when did it become popular to blame the means instead of the crime?

    Joe walked into the bank with a marker and robbed it. Breaking News -- Markers to be banned and Banks required to no longer carry money. No mention of Joe???

    Hackers should be criminalized and put on trial for breach of privacy/theft ( INCLUDING Microsoft every-time it disperses information not specifically granted by Microsoft's users ). If someone steals my wallet was it the wallets fault - are we to go after wallet manufacturers???

    People commit crimes and will inevitably keep committing crimes so long as they can walk away from it. That is what needs to be addressed and stopped.

  • Jickerson||

    No one is suggesting anything remotely similar to going after wallet manufacturers. What is being suggested, however, is that centralizing everything creates a single point of failure that is both vulnerable to attack and immensely profitable to attack. This is awful for security, privacy, and user control.

    You can sit there hoping that bad guys won't do bad things all you want, but at the end of the day, you need to take measures to mitigate the damage that they will inevitably cause.

  • Geek Squad USA||

    Your tutorial helped to get necessary info regarding my concern. I want to keep writing such information and on the other secure your website with Geek Squad Tech Support team. https://geeksquad-usa.com/

  • messages||

    Joe walked into the bank with a marker and robbed it. Breaking News -- Markers to be banned and Banks required to no longer carry money. No mention of Joe???

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online