Facebook Can't Reset All Breach Victims' Access TokensSocial Network Reveals It Cannot Log Users Out of All Third-Party Services
Warning: Attackers behind the recently revealed Facebook mega-breach may still be able to access victims' accounts at third-party web services and mobile apps, and Facebook has offered no timeline for when that might change.
Here's the problem: Whoever hacked Facebook stole single sign-on access tokens - and thus access - to at least 50 million accounts, which also gives them access to the hundreds of third-party services and mobile apps that accept victims' SSO authentication, dubbed Facebook Social Login or Facebook Login.
"If a service cannot guarantee its ability to offer single sign-off, it has no business providing single sign-on."
On Friday, the company issued a breach notification, saying that attackers abused a "View As" privacy feature to gain access tokens for 50 million accounts, leading to Facebook resetting those access tokens and forcing users to log in again. For another 40 million accounts, just to be safe, Facebook says it also reset tokens - forcing users to log in again - because they had accessed the "View As" feature at some time (see Facebook Breach: Attackers Exploited Privacy Feature).
Individual Facebook users currently lack the ability to forcibly reset their Facebook Social Login access tokens. These tokens allow users to automatically authenticate to third-party web services and mobile apps, from Airbnb and Expedia to Spotify and Tinder. Accordingly, any personal data stored in these services is now at risk via the access tokens attackers stole (see Facebook Breach: Single Sign-On of Doom).
Delegated Security Responsibility
Unfortunately, Facebook now says that while it can reset access tokens, it cannot guarantee that all third-party services that accept Facebook Social Login will honor these token-reset requests. As a result, whoever hacked the social network could still be using Facebook SSO to access victims' other accounts.
Facebook revealed this problem on Tuesday, couching it in its typical spin - namely, attempting to absolve itself by talking about how developers may not be following best practices.
In Facebook-speak: "Security is incredibly important to Facebook. It's why we recommend developers stick to our Facebook Login security best practices," says Guy Rosen, Facebook's vice president of product management, in the Tuesday blog post.
That means Facebook is not guaranteeing that developers follow its best practices, including always using its official software development kit.
As a result, while Facebook says it's reset 90,000 access tokens, "some developers may not use our SDKs - or regularly check whether Facebook access tokens are valid." But Rosen says Facebook is "building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out."
In other words, at some future date, developers that Facebook has allowed to automatically connect with its users via its SSO Facebook Login may get their act together and review whether their web services or mobile apps have logged out users whose access tokens got stolen.
Facebook: Us, Enforce Rules?
Facebook, however, does not enforce these best practices, which makes these sorts of bromides meaningless, while also putting users at risk.
This corporate approach, in fact, appears to mirror precisely what got Facebook into the Cambridge Analytica data scandal mess. Simply put, Facebook wasn't policing how third parties accessed, processed, used or sold Facebook users' data.
In the interim, data analysis firm Cambridge Analytica obtained profile data for as many as 87 million Facebook users via a "thisisyourdigitallife" personality app created by a U.K.-based researcher named Aleksandr Kogan. Facebook says that Kogan's app was able to access personal data not just for those who used his personality survey, but also some of their friends' data.
As a result, the data potentially may have been used to target them with advertising and disinformation campaigns (see Facebook to Congress: We Shared More Data Than We Said).
Potential Good News
The potential good news for the 50 million victims of Facebook's recent breach, however, is that there are as yet no signs that attackers did abuse the access tokens to access third-party services.
"We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login," Rosen says.
But this might not be surprising, because one likely perpetrator of this attack would be an intelligence agency that was keen to build "big data" maps of citizenry using the stolen information, rather than raid people's Instagram profiles or Tinder picks.
"This Facebook data is mainly useful to either advertisers or nation-states," says Avivah Litan, vice president at Gartner Research. "I doubt advertisers hacked Facebook, so I imagine this is the work of a nation-state building out its population maps for citizenry of various countries."
In the meantime, Facebook needs to begin building out its ability to not just promulgate best practices to developers, but ensure they comply with them. Because if a service cannot guarantee its ability to offer single sign-off, it has no business providing single sign-on.