I was reading this BBC article about compromised Facebook accounts, and was wondering if anyone knows the technicalities of how they did it? All I understood is that there were some breaches due to the VIEW AS feature.
Does anyone have any technical information about this?
The article in Wired has a little more information.
The social network says its investigation into the breach began on September 16, when it saw an unusual spike in users accessing Facebook. On September 25, the company’s engineering team discovered that hackers appear to have exploited a series of bugs related to a Facebook feature that lets people see what their own profile looks like to someone else. The "View As" feature is designed to allow users to experience how their privacy settings look to another person.
The first bug prompted Facebook's video upload tool to mistakenly show up on the "View As" page. The second one caused the uploader to generate an access token—what allows you to remain logged into your Facebook account on a device, without having to sign in every time you visit—that had the same sign-in permissions as the Facebook mobile app. Finally, when the video uploader did appear in "View As" mode, it triggered an access code for whoever the hacker was searching for.
When any action is performed using the Hack code section of Facebook, it is done with a viewer context. That context contains the logic deciding if the associated piece of data can be returned. An example evaluation for the user context would be, "if (post.privacy == public || post.privacy == friends && user.is_friend() || post.privacy == custom && user.in_custom_list())..."
The view as feature, when working properly, would assign you a viewer context that has the permissions of the user you selected combined with the restriction that only your own data is viewable.
This disclosure suggests that a logic flaw was introduced into the viewer context that's assigned for the view as feature which in some circumstances did not couple the special restriction that only the requesting user's info was visible.
From what I can surmise, they used View As to gain access tokens for accounts they could use the View As feature on. This doc explains a bit about how that works: https://www.facebook.com/help/288066747875915/ You can View As your own account to see how it would look for specific Facebook friends.
It appears 10s of millions of accounts had their access tokens compromised in this manner since 2017, when a key vulnerability was introduced due to a change in Facebook Video. My guess is that this used the social network graph to spread in an automated manner, but we are still light on detail. I say this because of this line from their security update posting:
The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
Source: https://newsroom.fb.com/news/2018/09/security-update/
I found a little bit more technical information in the NY Times article:
The attackers exploited two bugs in the site’s “view as” feature, which allows users to view their own profiles as if they were someone else.
That was compounded by a flaw in Facebook’s video-uploading program, a software feature that was introduced in July 2017, the company said. The flaw allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.
And even more information on TechCrunch:
Not one, but three bugs led to the data exposure.
In July 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader, said Guy Rosen, Facebook’s vice president of product management, in a call with reporters. When using the “View As” feature to view your profile as someone else, the video uploader would occasionally appear when it shouldn’t display at all. When it appeared, it generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker could log into the account of the other person.
