Facebook has received ample blame for the historic data breach that allowed hackers to not only take over the accounts of at least 50 million users, but also access third-party websites those users logged into with Facebook. But what makes it so much worse is that fixing the issue is, in many ways, out of Facebook’s hands.
Some of the most web’s popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack, according to a recent research paper out of the University of Illinois at Chicago. If they had taken more care with their implementation of Facebook’s Single Sign-On feature—which lets you use your Facebook account to access other sites and services, rather than creating a unique password for every site—the impact could have largely been limited to Facebook. Instead, hackers could potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace. Even more staggering: You could be at risk even if you’ve never used Facebook to log into a third-party site.
In a paper published in August, computer scientist Jason Polakis and his colleagues analyzed the many ways that hackers could abuse Facebook’s Single Sign-On tool. Facebook’s not alone in offering the feature; Google has its own version of it, as do plenty of other so-called “identity providers.” But Facebook’s, Polakis says, is the most widely implemented.
There are valid reasons third-party sites and services let users log-in with Facebook. For starters, it’s easy, and saves users the hassle of creating yet another password. And, in theory at least, it makes logging in more secure. “Being able to set up a secure infrastructure, handle user input, have encrypted connections, and use up-to-date security mechanisms is pretty hard,” Polakis says. “So instead of relying on thousands of smaller websites, you rely on one that has better security practices.”
Of course, those benefits come with obvious associated risks. If someone compromises Single Sign-On—Facebook’s Google’s or anyone’s—the possible impact is widely dispersed. The researchers tried to determine the full extent of the potential damage of a stolen account. What data could an attacker then scrape? How would users know they’d been hacked? And what, if anything, could victims do about it? At the time, the findings were unnerving. Now, they seem eerily prescient.
You could be at risk even if you’ve never used Facebook to log into a third-party site.
On Friday, Facebook announced that hackers had leveraged three separate bugs to collect 50 million users’ so-called access tokens, which are the equivalent of digital keys to a Facebook account. With those tokens, hackers can take full control of users’ Facebook accounts, but because of Single Sign-On, they can also access any other website that those 50 million users log into with Facebook. That’s similar, though not identical, to the scenario Polakis and his colleagues studied. In that case, researchers were able to hijack cookies on a given user’s device using a now-patched flaw in the iOS Facebook app. But, Polakis says, once an attacker has control of someone’s Facebook account, their access to third parties would be largely the same.
After Facebook discovered the breach, it reset the access tokens for all 50 million affected users, and another 40 million who may have been impacted. “We’re still doing the investigation [to see] if these attackers did get access to those third-party apps,” Facebook spokesperson Katy Dormer tells WIRED.
There are ways that third-party companies can and should protect their users in case Single Sign-On is breached. The problem, Polakis says, is few of them do.
For instance, websites that use Single Sign-On can either automatically log you in if you’re already logged into Facebook elsewhere in your browser, or they can require you to enter your Facebook password every single time you log in. The second scenario is more secure, because hackers would need more than just the user’s access token to get into third-party sites. They’d need passwords, too.
But in a manual audit of 95 of the most popular web and mobile sites that offer Facebook Single Sign-On—from Uber and Airbnb to The New York Times and The Washington Post—the researchers found that only two required people to enter their Facebook passwords each time they logged in. Polakis describes it as a classic case of companies choosing usability over security. “If all websites had enabled that option, in this case, the attackers wouldn’t be able to access third parties, because they wouldn’t have your Facebook password,” he says.
Third-party sites could also let users view activity on their accounts. Facebook, for instance, has recommended that users look at “active sessions” as a way to spot any unauthorized access. But not every website offers such a digital trail. Nor do they all provide ways to clear active sessions. In fact, of those 95 sites Polakis and his co-authors studied, only 10 offer some way to purge sessions. This not only makes the perpetrators hard to catch, it can make it nearly impossible to cut them off.
Polakis and his team also analyzed a subset of the sites to see what happens when you change the user’s email address or password on those third-party sites. They found that out of 29 sites, 15 allow attackers to change an account’s email without entering a password; of those, six allow the password to be set without entering the old password. The rest require the attacker to conduct a formal password reset. But if the attacker has already reset the email address on that site, they’re just routing the password reset email to themselves.
Facebook’s Dormer says the company advises developers on “best practices,” and is currently “preparing additional recommendations for all developers responding to this incident and to protect people going forward.”
But perhaps the most staggering finding in the paper is that people don’t necessarily need to have logged into third-party sites with Facebook to be exposed. Say, for example, you logged onto a website with the same email address that’s associated with your Facebook account. If an attacker tries to log onto that same website using Facebook’s Single Sign-On, the researchers found that some sites—including fitness app Strava—will associate the two accounts.
“If you have a Facebook account, even if you’ve never used it to log into any other website…an attacker could still use the Facebook token and get access to a user’s account on third-party websites,” Polakis says.
So, what data could the researchers collect by penetrating these third-parties sites? In controlled experiments, Polakis and his colleagues were able to track a victim’s trips in real-time on Uber. In one case, they tipped the driver from the attacker’s device after the trip was complete. On Tinder, they were able to read users’ private messages, even though the messages appeared as unread to the affected account. From Expedia, they pilfered passport numbers and TSA information.
All that, just from an experiment with a limited number of compromised accounts and third-party sites. The attack Facebook disclosed, Polakis says, “is insanely higher scale,” affecting tens of millions of users across thousands of sites.
At the time, the findings were unnerving. Now, they seem eerily prescient.
WIRED contacted several developers for comment, including Strava, Tinder, Expedia, and Airbnb. Uber, for its part, said it has revoked the tokens for accounts that the company believes could be at risk. According to spokesperson Melanie Ensign, that means anyone who logged onto Uber with a new device, though it’s unclear in what time frame. “While we haven’t seen evidence this exploit was used on our platform, our security teams and systems are constantly looking for potential issues and will notify users when we detect suspicious activity on their account,” Ensign says.
For now, Facebook is looking into whether the access token reset is enough to prevent the attackers from accessing these third-parties going forward. (Polakis says that based on his research, it isn’t.) The extent of the damage that was already done over the 14 months the vulnerability was active is still unknown. Facebook isn’t yet sharing its specific recommendations for developers, but Polakis has a suggestion: Single Sign-Off. It would give users a way to instantaneously revoke access from every website connected to their Facebook accounts, and invalidate an attacker’s sessions.
Facebook certainly deserves scrutiny. It has pushed its way into every corner of the internet for more than a decade, often without considering the ramifications of its ubiquity. But what’s also clear is that, in the interest of making it easier for people to spend more time swiping and clicking through their sites and apps, other web giants let their users down too. And now, everyone will pay the price.
Additional reporting by Louise Matsakis.