“View As” Facebook hack affects 90 million users

In late September Facebook revealed details of a security breach they had apparently first spotted close to two weeks earlier. The problem was rooted in a feature (View as) allowing users to view their Facebook pages the way others would see them, which inadvertently allowed attackers to access the identifying user tokens. As the social network uses these tokens to check the identity of a user, this effectively granted them full access to the accounts.View as facebook hack

The hack was used to get at the accounts of at least 50 million users, while another 40 million were forced to log back on to the website or related apps as a precaution. This may seem a fairly small percentage of Facebook’s total user base of well over 2 billion active users worldwide, but it’s still a pretty huge number of people to be hit by a hack granting access to the vast amounts of personal information most Facebook users entrust to the site.

With all this data now most likely in the hands of unknown hackers, and at some point fairly likely to be made available for sale to others, the security implications are huge. For a start, many businesses make use of Facebook’s login system for their own sites and services, especially smaller firms with limited resources to develop and maintain their own authentication processes. This could mean many accounts outside of Facebook will have been compromised by the same hack.

The exposure of personal data will also, almost inevitably, lead to an uptick in phishing, targeting people based on information gleaned from the hack and giving phishers a much more convincing starting point for their efforts. A phish is much more effective at tricking its target if it references the correct information on the services they use, and details often used as back-up identifiers, such as “mother’s maiden name”, first pet or first school, are all too easy to dig out from a Facebook profile.

Coming on the back of growing unease at the privacy implications of Facebook’s business model, as well as the phenomenon of “fake news” spreading wildly across the platform, this epic leak should push the firm towards greater efforts to secure and protect the information its users continue to entrust it with. It is likely to encourage many more cautious users to drop the platform altogether.

British Airways glitch leaks bank details, including security codes

A few weeks before the epic “View As” Facebook bug was discovered, major airline BA reported a problem with its website which divulged complete banking details for everyone who bought tickets online between August 21st and September 5th, some 380,000 customers. The hack revealed not only credit/debit cards numbers, but also the “CVV” numbers stored separately and not usually recorded by online systems, allowing anyone with access to them to complete transactions without further authentication.

The severity of the hack and the specific timeline unveiled in the announcement from BA, which noted the exact start and finish time of the attack, are both down to the unusual approach taken by the hackers. Rather than breaking in to data storage and making off with stored information, often in encrypted form, it’s believed that third-party JavaScript code used by the website was hijacked and doctored to redirect traffic elsewhere, effectively placing the hackers between the customer and the BA website and allowing them to view anything typed in to the site.

The approach is identical to that used by the “Magecart” hacking group, previously best known for a very similar attack on ticket sales site Ticketmaster. In the BA case, the script in question was the “Modernizr” tool used by the company’s baggage claim system, loaded from an external site – this seems to be proven by changes observed in the source of the script at exactly the time noted in the BA announcement.

This should serve as a timely reminder to anyone maintaining a website that your security is only as good as that of any other company whose code you are reusing.  

Cyber security Awareness month – October 2018

October is now recognized around the world as “Cyber Security Month”, with the idea first introduced in the US by Homeland Security in 2004. Europe’s version followed in 2012, and others including Canada have also joined the party, promoting awareness and education around online security issues in a wide variety of ways.

The month is an ideal time for everyone involved in cyber security to help spread the word to friends, relatives, customers, users, management, and anyone else who may be behind the curve when it comes to understanding the dangers we all face online. The various local initiatives provide a wealth of resources, from advice for end-users on choosing passwords, backing up data and securing online accounts, to more advanced guidance on implementing better security in major infrastructure projects.

The weekly themes focused on by the US DHS’ project reflect this diversity, running from protecting homes in week 1, through the need for more skilled workers in the industry in week 2 and the role of all users in ensuring secure workplaces in week 3, through to the vital need to protect critical services in week 4.

So if you feel the need to improve your digital security smarts, take advantage of some of the tools and programs on offer to catch up with the latest advice and best practices. And even if you’re already an expert, help bring your peers up a level by pointing them to the educational resources they will find most useful in their lives and careers!