Facebook has been tricked by ***, this time nearly 100 million users are affected
At 9:41 am on September 28, 2018, Facebook posted on its official news website ( https://newsroom.fb.com ) that: the company has discovered a security vulnerability, ***can use this vulnerability to obtain information , May lead to the disclosure of nearly 50 million user information.
In this press release, Guy Rosen, FB's vice president of product management, wrote:
1. The technical team discovered this vulnerability on the afternoon of September 25.
2. This security vulnerability appeared in July 2017, was identified on September 25, 2018, and was detected on September 27.
3. At present, FB is basically determined, and *** has used this vulnerability to launch ***.
4. In the morning of September 27, about 50 million Facebook accounts were hacked.
5. After the problem was discovered, FB reset the access information of the 50 million affected users.
6. In addition to the 50 million users affected, FB also performed the same reset operation on another 40 million users. A total of 90 million users are affected.
7. On the evening of September 26, Facebook said that it had fixed the vulnerability and notified law enforcement agencies such as the FBI and the Irish Data Protection Commission.
Prior to the disclosure of this news, Facebook's stock price had fallen by about 1.5%. After the news came out, it went further down. At the close of the market, it fell 2.59% to 164.46 US dollars, hitting a low of 162.56 US dollars during the session.
Vulnerability details
This security vulnerability exists in the code of Facebook's "View As" function.
Because FB's privacy settings are extremely cumbersome, users often do not know that other people can see or cannot see certain information posted by themselves.
View As This feature allows users to view their account in the third person to confirm whether the privacy settings meet their requirements.
FB revealed that it used this vulnerability*** to steal the user's "access token".
The function of the access token is to save the password for the user, so that the user does not have to enter the password every time they log in to verify their identity.
After obtaining the token, *** can hack into someone else’s account and see the posts and information that are set to be private.
In response, FB reset the access token for 50 million users affected by the vulnerability and another 40 million users who may become targets for further attacks.
What is an access token
Through the official information, we cannot confirm how the access token in the vulnerability exploited by *** is used and leaked.
But we can use OAuth2 to introduce the role of access token and how to ensure security.
OAuth 2 is an authorization framework that allows third-party applications to access user information in the service in the form of user authorization. The most common scenario is authorized login; more complicated, such as third-party applications provide developers with interface access permissions through Github User information or warehouse information within. OAuth2 is widely used in third-party services of web, desktop applications, and mobile apps to provide an authorization verification mechanism to achieve data access permissions between different applications.
The most typical Authorization Code authorization mode in OAuth2, the general flow is as follows:
We roughly divide the entire authentication process of OAuth2 into three stages.
The first stage is mainly to obtain authorization from users, corresponding to steps 1 and 2 in the figure;
The second stage is mainly to apply for an access token (access_token), corresponding to steps 3 and 4 in the figure;
The third stage is to use access_token to obtain user data, corresponding to steps 5 and 6 in the figure. Many sensitive parameters and data are involved in this process. To some extent, access_token is the user's session id.
In other words, in the entire authentication process, once the *** obtains the access_token, even if he does not know your user name and password, he can still access your user data.
Is OAuth2 safe?
It can be said that the OAuth2 protocol itself is relatively secure, at least much safer than login in the form of a pure user name and password.
If there is an access token leakage problem like FB, at least the password is not leaked. As long as the website resets the user's access token, the old access token will become invalid. In this case, the impact will be less than the disclosure of username and password.
However, there are many vulnerabilities introduced by OAuth, mostly due to improper use. Wuyun has disclosed many website vulnerabilities caused by incorrect implementation of OAuth:
-
CSRF hijacks third-party accounts
-
WooYun: Damai.com is at risk of account hijacking
-
WooYun: Meili said oauth vulnerability can hijack account
-
No verification of parameters leaked code
-
WooYun: Tencent Weibo open platform openid, openkey interception
-
WooYun: Sohu Weibo OAuth2.0 Obtaining Authorization Code Hidden Troubles
-
Replay***
-
Several security bugs packaged in the Inwatch-InHealth client interface
-
Application impersonation, get token to control user account
-
@囧虎张建伟, SSO authorization and authentication defect in Sina Weibo Android client
-
WooYun: Tencent open platform single sign-on SSO solution design flaws lead to phishing risks
-
Obtain the access token directly with the platform user name and password
-
WooYun: happy network android client brute force cracking vulnerability, test 2000 accounts, 132 successful
- 315 party: Android mobile phone application software severely steals user information
The specific security precautions of OAuth2 will not be expanded here. Interested friends can Google by themselves. Or I will post a separate article later for in-depth analysis.
Afterword
After the FB vulnerability was exposed, Facebook CEO Mark Zuckerberg quickly responded to the incident, saying: "This is a very serious security issue, and we are taking it very seriously."
Facebook is the world's largest The social platform has 2.2 billion users. In the 15 years since its founding, this company has rarely seen incidents that have caused information leakage. Strictly speaking, the relatively large-scale and severely impacted *** incidents have only occurred once or twice.
In 2013, a programmer messed up the code himself, and the code verification did not find it, resulting in the disclosure of the contact information of more than 6 million users.
Around 2014 and 2015, the data analysis company Cambridge Analytica abused FB’s developer platform, conducted illegal data mining on more than 87 million users, and sold it to some candidates in the U.S. elections to intervene in the general election. FB’s senior officials Knowing this but doing nothing.
Earlier this year, Zuckerberg attended a congressional hearing due to the scandal. FB was forced to be investigated, and its stock price evaporated tens of billions of dollars at that time.
The investigation is still not over, and FB hasn't slowed down from the Cambridge Analytica scandal, and ****** occurred again.
Of course, strictly speaking, FB is also a victim. Unfortunately, fewer and fewer people sympathize with it. After the FB announcement was issued, there was a lot of scolding on the Internet, which basically means:
"If you spend so much research on how to mine our data to make money, why can't you do more research on your loopholes."
After the incident, U.S. mainstream media reports coincidentally quoted Zuckerberg’s oath at the previous hearing:
"We have a responsibility to protect your data. If we can't do it, then we don't deserve to provide you with services."
Reference material:
Facebook has been hacked again, this time it has pitted nearly 100 million users! ( Https://www.pingwest.com/a/177864 )
OAuth research & study notes ( http://www.tasfa.cn/index.php/2016/03/26/note_of_oauth/ )
Facing Java Issue 147: How to add an Integer object to a List whose generic type is Integer?
Road to God No. 013: Java collection class-Map.
| More exciting articles-
- Java 11 is officially released, telling you whether you should upgrade
- Do you really use List in Java?
- Getting JVM garbage collection is that simple
- The business is too complicated? Teach you how to reduce the complexity of software
If you see this, you like this article.
Then please long press the QR code and follow Hollis to 
forward the circle of friends. This is my greatest support.