Did you have to re-login to Facebook this week? You’re not alone. Some fifty million people were impacted by a new data breach in Facebook that could have given hackers access to user profiles. Facebook’s solution was to have those who were affected by the hack as well as several million additional users log back into their accounts.
The breach involved something called user tokens. Facebook uses tokens to enable users to stay logged in so they don’t have to enter their log in information every time they close and reopen the application. Imagine if you had to enter your username and password every time you opened the app on your phone. You’d quickly grow tired of doing that. User tokens keep you from having to do that.
Each user is assigned a unique token on each device they use to access Facebook. When you open the application, Facebook verifies the legitimacy of your token and grants you access to your profile accordingly. Obviously, because they function as your key to your Facebook account, they end up being as important as your username and password. Normally, though, they are significantly more secure than your username and password, because Facebook randomly assigns them to you, and someone should have to have access to your device to learn the token Facebook assigned to you.
In this instance, however, hackers were able to take advantage of – ironically – a data privacy feature to steal user tokens. To help you determine how much of your Facebook profile and wall are visible to others, Facebook added a “View As” feature some time ago. The feature enables you to see how your Facebook wall looks to your friends and to those beyond your list of friends. Based on this, you can decide if you need to tweak your privacy settings to fine-tune where your data is visible. Unfortunately, something in how Facebook coded this feature enabled hackers to access Facebook’s catalog of assigned user tokens. Theoretically, at least, they could then use these user tokens to log in to your profile, since user tokens give you access to your profile in the same way your username and password do.
Facebook hasn’t determined yet whether any damage has been done through this breach. They discovered that user tokens were susceptible to theft during testing and code review. They then took the appropriate steps to fix the error, force everyone to log out and log back in so that their users would be assigned new tokens, and notified the public of the problem. Facebook handled this well and seems to have fulfilled their legal responsibilities.
Again, though, I’m stuck by the irony of how the breach occurred. In providing a feature their customers could use to protect their privacy, Facebook’s programmers made a mistake that could enable hackers to invade their users’ privacy.
Developing software in the cybersecurity era is a pretty tough exercise, a running sequence of catch-22s. That’s why so many in the industry claim – correctly, in my estimation – that data breaches aren’t a matter of if, but of when.
I’m also impressed by the conflict between convenience and security at play here. Users crave convenience. In so many instances, however, those conveniences come at the price of introducing new holes for hackers to explore and exploit. Facebook created user tokens to enable users to stay logged in, which is particularly important on mobile devices where the act of constantly thumb-typing usernames and passwords would surely turn users away. Those user tokens were accidentally exposed. Convenience is security’s kryptonite.
Keeping data systems secure requires tremendous technical acumen. Just knowing how to use commercially available tools won’t help companies identify obscure breaches like this one, and it certainly won’t help them minimize vulnerabilities in new features they attempt to offer. Cybersecurity engineers need to know how to write code at an expert level so that they can attempt to create the conveniences users crave while managing to minimize their adverse affects on privacy. They also must know so much about how code and the systems that run that code function so that, in the inevitability that breaches occur, they can work quickly to detect, isolate, and fix them, and also prescribe ways to limit their damage.
This isn’t rocket science or brain surgery; it’s cybersecurity. These days, that’s just as tough.