What happened when our Facebook accounts got hacked?

Recently unknown attackers have accessed 29 million Facebook users’ data. (You can check if you were affected on this page.) The event raised a lot of questions in people’s heads: should I change my password? Could I have been affected if I used two-factor authentication? What kind of data could attackers steal? Could they have accessed Facebook-connected apps like Messenger or Tinder?

Modern authentication

All existing authentication methods rely on something particular to the user, let that be an apartment key (something that only the person owns), a handwritten signature (something that only the person can produce), a fingerprint (something that only the person is), or a password (something that only the person knows). However, typical authentication methods differ in two ways.

First, two-factor authentication requires - not surprisingly - two factors: not only a password (something that only the person knows) but also a phone (something that only the person owns). Typically the user receives a one-time password via a text message that can be used along the password. This is a significant step ahead in securing accounts since an attach would now require not just hacking the password but stealing the user’s phone as well (or at least accessing their text messages). It is clear that two-factor authentication is worth turning on for all apps: you can do that here for Facebook and here for other websites.

Second, nowadays we frequently don’t register with the used app itself (like Tinder), but rather, we use our Google or Facebook account for authentication. This is possible because of the so-called auth tokens. These can be pictured as a concert ticket. Once you obtain the ticket, you can hand it to anybody, and the person with the ticket can use the services offered by said ticket (such as attending the concert). However, you can only get into the VIP section or to the singer’s meet-and-greet if the ticket includes these services too.

When a user logs into Tinder, in reality they log into Facebook’s servers, which in turn provide such a ticket for Tinder. The ticket only grants access to a limited set of data - in case of Tinder to the user’s name, age, photos, and maybe education - but nothing else. This guarantees that Tinder couldn’t post to our Facebook page even if they wanted to, since that would require us to authorise such a ticket first.

No need to change passwords

So what happened a few weeks ago? The attackers didn’t gain access to passwords, but rather, to certain users’ auth tokens. This was possible because of a vulnerability in Facebook’s “view as” feature. This button allowed (until Facebook turned it off shortly after the attack) for a user A to check what another user B could see on A’s profile: what’s visible if B is a stranger, a friend, or a family member. Facebook engineers most likely solved this by providing user A with an object similar to B’s auth token (ticket), thus simulating B’s access - kind of like A borrowing B’s (limited) ticket. This could have caused the vulnerability allowing attackers to gain access to other users’ full access tokens.

This makes it clear why potentially affected users had to log in again to Facebook and connected apps: Facebook, as a precaution, invalidated all outstanding auth tokens (tickets). As a result, connected apps like Tinder couldn’t use the already issued tickets, requiring re-authentication.

This also shows while a password change is not needed: the attackers could only access auth tokens, not passwords. This is also why two-factor authentication couldn’t have helped this time to prevent the attack (though it can still provide protection against other kinds of attacks).

Due to the nature of how tickets work, it was possible that connected apps could have been affected as well, but Facebook engineers later ruled that out. Furthermore, these tickets only provided access to a limited set of data, such as names, email addresses, and in half the cases, other profile information - so attackers had no way to read out messages or post in our names.

A larger pattern?

What does this say about Facebook? It’s quite clear that data security and privacy were never part of their fundamental values, and their focus on the area nowadays is mostly fuelled by business reasons. Nevertheless, this attack still looks more like a technical mishap (in this case, a coincidence of three software bugs) than problems with their values, since this issue was unrelated to Facebook’s policies (unlike the earlier Cambridge Analytica scandal). Still, it is clear that (frequently state-sponsored) cyber attacks are becoming more and more frequent - so it is worth keeping in mind that nothing we share online is a 100% safe.