Category Archives: social networks

Facebook Data Breach Update: attackers accessed data of 29 Million users

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.

Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access  did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook data breach

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.

Pierluigi Paganini

(Security Affairs – Facebook data breach, hacking)

The post Facebook Data Breach Update: attackers accessed data of 29 Million users appeared first on Security Affairs.

Security Affairs: Facebook Data Breach Update: attackers accessed data of 29 Million users

Facebook data breach – The company provided an updated for the data breach it disclosed at the end of September, hackers accessed personal data of 29 million users.

Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not access  did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

Facebook data breach

Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.

Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.

Pierluigi Paganini

(Security Affairs – Facebook data breach, hacking)

The post Facebook Data Breach Update: attackers accessed data of 29 Million users appeared first on Security Affairs.



Security Affairs

Google+ Shuts Down Following Undisclosed Data Breach

After a privacy breach detected this spring, Google has decided to pull the plug on its social network, Google+, according to a disclosure released on Monday. The story is more complicated, as it’s about more than a simple data breach – it’s about Google keeping quiet and not publicly announcing the breach for fear of consequences including public scrutiny.

A software bug in the site allegedly allowed external developers to access hundreds of thousands of user profiles between 2015 and March 2018, reported The Wall Street Journal. Apparently, external developers could have accessed full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.

Google says there’s no evidence that data was abused or that developers even knew about the bug. The glitch was fixed in March 2018 when it was detected. This does, however, raise serious questions about the company’s approach to security and its treatment of users.

The Wall Street Journal, the first to report the incident, analyzed an internal document written by Google’s legal and policy team which argued that announcing the breach would generate “immediate regulatory interest” and compared the incident with the Facebook – Cambridge Analytica story. An internal committee, then decided not to inform users and just let it slide.

“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” said a Google spokesman.

“Whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he added. “None of these thresholds were met here.”

Released in 2011, Google+ was meant to become a strong competitor for Facebook but it ended up a failed project.

Attackers chained three bugs to breach into the Facebook platform

Facebook has revealed additional details about the cyber attack that exposed personal information of 50 million accounts.

Last week, Facebook announced that attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

The “View As” feature allows users to see how others see their profile, it was implemented under the privacy section to help users to check that only intended data is visible for their public profile.

Facebook noticed a traffic spike on September 16 but determined that is was under attack on September 25, when it also discovered the way attackers breached the platform. The incident was disclosed on September 27.

Facebook disabled the “View As” feature in response to the incident, the company reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts.

Attackers also accessed data of the Facebook founder Mark Zuckerberg and the COO Sheryl Sandberg. Facebook is notifying users whose tokens have been compromised.

According to Facebook, the vulnerability is the result of the chaining of three flaws affecting the “View As” feature and the Facebook’s video uploader.

The company clarified that the version of the video uploader interface affected by the vulnerability was introduced in July 2017.

  1. Experts noticed that the “View As” allows displaying the profile as a read-only interface. but the platform fails to validate the content submitted through text box that allows people to wish happy birthday to their friends(this is the first bug). The experts discovered that it is possible to post a video through this field.
  2. The second issue is related to the fact that the video uploader generated an access token that had the permissions of the Facebook mobile app when posting a video in the text box.
  3. The third bug is that the token generated was not for the user who had been using “View As” but for the one whose profile was being viewed, this means that attackers could obtain the token from the page’s HTML code and use it to take over a targeted user’s account.

It is interesting to note that an attacker would first hack into a friends’ account and move target other accounts connected to it.

“It was the combination of these three bugs that became a vulnerability: when using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user.explained Guy Rosen, VP of Product Management.

“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.” added edro Canahuati, VP of Engineering, Security and Privacy at Facebook.

According to Facebook, the attackers queried the APIs to access profile information, but no private information (private messages or credit card data) seems to have been accessed.

Another aspect that was underestimated is that the exposed tokens can be used to access third-party apps that allow the authentication using Facebook profile. The token reset also mitigated this risk.

Experts also warn that users who have linked Facebook to an Instagram account will need to unlink and re-link their accounts due to the reset of the tokens.

Based on the info shared by Facebook, the attack was probably carried out by advanced attackers.

In the next weeks, we will a clear picture of the impact of the hack on the company, the company could face $1.63 billion EU fine under EU GDPR.

Rumors of a class action lawsuit are circulating online.

Pierluigi Paganini

(Security Affairs – Facebook hack, hacking)

The post Attackers chained three bugs to breach into the Facebook platform appeared first on Security Affairs.

Facebook faces a whopping €1.4 billion penalty under GDPR for Sept. 30 data breach

Facebook, which revealed last week that a massive data breach compromised 50 million accounts, is facing a potential $1.63 billion / €1.4 billion penalty under new European regulations.

A Facebook investigation revealed that attackers exploited a vulnerability in the “View As” feature that lets people see what their own profile looks like to external parties.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” the company said in a breach notice signed by its VP of Product Management, Guy Rosen.

Facebook discovered the breach Tuesday, Sept. 25, and complied with the EU’s General Data Protection Regulation’s requirement that entities report a breach within 72 hours of the moment they learned of it. The company offered few details about the hack, but promised to take the incident extremely seriously and offer updates as investigators learn more about what happened.

Facebook’s lead privacy regulator in Europe, Ireland’s Data Protection Commission, is ready to fine the social network up to $1.63 billion / €1.4 billion for this incident, under the European Union’s GDPR.

In an emailed statement, the regulator told the press it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

“Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of EUR20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation,” reports MarketWatch.

Since then, Facebook has issued several updates with clarifications about the breach, though the situation remains virtually unchanged – users’ whose accounts have fallen in the wrong hands before Facebook’s auto-logout could be compromised.

If you’ve found yourself logged out of Facebook after the news hit the wires, Facebook says there’s no need to change your password. But if you’re having trouble logging back into your account, the company says you should learn what you can do at this address.

Facebook: User shadow data, including phone numbers may be used by advertisers

The worst suspect is a disconcerting reality, Facebook admitted that advertisers were able to access phone numbers of its users for enhanced security.

Researchers from two American universities discovered that that phone numbers given to Facebook for two-factor authentication were also used for advertising purposes.

“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” reads the study published by the researchers. 

“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,”

The study investigates the channels used by advertisers can gather personally identifying information (PII) from Facebook, WhatsApp and Messenger services.

The contact lists uploaded to the Facebook platforms could be used by advertisers that once extracted the personal information can leverage it to target people in their networks.

The experts speculate Facebook is using a hidden layer of details it has about its users, like phone numbers used for 2FA authentication, that they called “shadow contact information.”

The study supported concerns that Facebook uses “shadow” sources of data not given to the social network for the purpose of sharing to make money on advertising.

“We use the information people provide to offer a better, more personalized experience on Facebook, including showing more relevant ads.” a spokeswoman told Gizmodo that first reported the news.

Facebook continues to face a severe crisis due to the way it manages data of its users, the Cambridge Analytica case has shocked the world about the way the social network giant has shared the information of its unaware users with third party companies.

At the time of writing, Facebook’s Guy Rosen, VP of Product Management announced that attackers exploited a vulnerability in the “View As” feature to steal Facebook access tokens of 50 Million Users.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook: User shadow data, including phone numbers may be used by advertisers appeared first on Security Affairs.

Security Affairs: Facebook: User shadow data, including phone numbers may be used by advertisers

The worst suspect is a disconcerting reality, Facebook admitted that advertisers were able to access phone numbers of its users for enhanced security.

Researchers from two American universities discovered that that phone numbers given to Facebook for two-factor authentication were also used for advertising purposes.

“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” reads the study published by the researchers. 

“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,”

The study investigates the channels used by advertisers can gather personally identifying information (PII) from Facebook, WhatsApp and Messenger services.

The contact lists uploaded to the Facebook platforms could be used by advertisers that once extracted the personal information can leverage it to target people in their networks.

The experts speculate Facebook is using a hidden layer of details it has about its users, like phone numbers used for 2FA authentication, that they called “shadow contact information.”

The study supported concerns that Facebook uses “shadow” sources of data not given to the social network for the purpose of sharing to make money on advertising.

“We use the information people provide to offer a better, more personalized experience on Facebook, including showing more relevant ads.” a spokeswoman told Gizmodo that first reported the news.

Facebook continues to face a severe crisis due to the way it manages data of its users, the Cambridge Analytica case has shocked the world about the way the social network giant has shared the information of its unaware users with third party companies.

At the time of writing, Facebook’s Guy Rosen, VP of Product Management announced that attackers exploited a vulnerability in the “View As” feature to steal Facebook access tokens of 50 Million Users.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook: User shadow data, including phone numbers may be used by advertisers appeared first on Security Affairs.



Security Affairs

Millions of accounts affected in latest Facebook hack

Facebook announced earlier today that its social network had been hacked, resulting in 40 million accounts that were directly impacted, while another 50 million were also considered to be potentially affected.

Attackers exploited a feature in Facebook called “View As,” which essentially shows how your profile looks to others. The flaw enabled them to get ahold of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password.

The feature has for now being turned off and the underlying vulnerability fixed. A law enforcement investigation is ongoing to determine the full scope of this hack and identify the eventual perpetrators.

Facebook says they have taken actions and that there is no need for users to reset their passwords, although it is a good opportunity remind users that passwords should be complex and not reused across multiple services.

We recommend people follow the Facebook hack story to get a better idea of what exactly was accessed and take the necessary precautions. We will keep Labs readers informed of further developments.

The post Millions of accounts affected in latest Facebook hack appeared first on Malwarebytes Labs.

Facebook hacked – 50 Million Users’ Data exposed in the security breach

Facebook hacked – Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

Facebook hacked, this is news that is rapidly spreading across the Internet. A few hours ago, Facebook announced that an attack on its computer network exposed the personal information of roughly 50 million users.

The giant of social networks has discovered the security breach this week, the attackers have exploited a bug in the “View as” features to steal access tokens of the users and take over their accounts.

Facebook has identified the flaw exploited in the attack and already fixed it, it immediately launched an investigation and reported the incident to law enforcement.

In a blog post, Facebook’s Guy Rosen, VP of Product Management explained that the attackers exploited a vulnerability associated with Facebook’s “View As” feature that allowed them to steal Facebook access tokens. These tokens could then be used to take over people’s accounts.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts.”   stated Guy Rosen, Facebook VP of Product Management.

“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”

Facebook disabled the “View As” feature in response to the incident, the company reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts.

“Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.” continues Guy Rosen.

“Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.”

Facebook hacked

Facebook revealed that the bug exploited by the attackers was introduced with a change to their video uploading feature made in July 2017.

The tech giant said it did not know the source of the attack or identity of the attackers.

“We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”

The company will provide more information once the investigation will be completed.

Pierluigi Paganini

(Security Affairs – Facebook hacked, data breach)

The post Facebook hacked – 50 Million Users’ Data exposed in the security breach appeared first on Security Affairs.

Smashing Security #093: Abandoned domains and dating app dangers

Smashing Security #093: Abandoned domains and dating app dangers

How do fraudsters exploit abandoned domains to steal your company’s secrets? How can you better protect your privacy when looking for love online? And who has the longest arms in the animal kingdom?

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?


Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between


Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.