Throughout this year, we saw many data breaches and security issues involving Facebook. Adding to this list, last week, some hackers were able to gain access to 120 million accounts and posted private posts of Facebook users. As reported by the BBC News, the hackers also put an advert selling access to these compromised accounts for 10 cents per account.
What this Facebook hack was about?
This case of data breach seems to be different from the ones we saw previously. While the previous attacks took advantage of vulnerabilities in Facebook’s code, this breach happened due to malicious extensions. This breach was first spotted in September, when a user nicknamed as “FBSaler” appeared on an English-language internet forum. This user was selling personal information of Facebook users:
“We sell personal information of Facebook users. Our database includes 120 million accounts.”
BBC contacted Digital Shadows, a cyber-security company to investigate the case. The cyber-security company confirmed that more than 81,000 of the profiles posted online contained private messages.
Also, the data from 176,000 accounts were made available online, but BBC added that this data may have been scraped from members who had not hidden it. To confirm that these private posts and messages were actually of real users BBC also contacted five Russian Facebook users. These users confirmed that the posts were theirs.
Who exactly is responsible for this hack?
Going by Facebook’s statement to BBC, this hack happened because of malicious browser extensions. This malicious extension tracked victims’ activity on Facebook and shared their personal details and private conversations with the hackers. Facebook has not yet disclosed any information about the extension. One of the Facebook’s executive, Guy Rosen told BBC:
“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores. We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”
On deeper investigation by BBC News, one of the websites where the data was published appeared to have been set up in St Petersburg. In addition to taking the website down, its IP address has also been flagged by the Cybercrime Tracker service. According to the Cybercrime Tracker service this address was also used to spread the LokiBot Trojan. This trojan allows attacker to gain access to user passwords.
Cyber experts told BBC that if malicious extensions were the root cause of this data breach, then browsers are also responsible for it:
“Independent cyber-experts have told the BBC that if rogue extensions were indeed the cause, the browsers’ developers might share some responsibility for failing to vet the programs, assuming they were distributed via their marketplaces.”
This news has led to a big discussion on Hacker News. One of the users on the discussion shared how these kind of attacks could be mitigated by browser policies:
“Maybe it’s time for the browsers to put more effort into extension network security.
1) Every extension has to declare up front what urls it needs to communicate to.
2) Every extension has to provide schema of any data it intends to send out of browser.
3) Browser locally logs all this comms.
4) Browser blocks anything which doesn’t match strict key values & value values and doesn’t leave browser in plain text.”
We will have to wait and see how these browsers will be able to stop the use of malicious extensions and also, how Facebook makes itself much stronger against all these data breaches.
Read the full report on this Facebook hack on BBC News.