This post first appeared on Risk Management Magazine. Read the original article.
Facebook is a prime target for cybercriminals. Because the social media giant is used by billions of people, the potential attack surface is huge, as are the potential rewards for malicious actors who succeed in exploiting its security flaws. Although the company can afford to invest in some of the best coding practices and security mechanisms, the network is not invulnerable to hacking. Below are a few examples of how the loopholes in Facebook’s architecture can play into crooks’ hands.
• Facebook Sharer page abused to impose rogue tech support
In November 2018, online scammers masterminded a new hoax that takes advantage Facebook Sharer pages. These pages are a common way site for owners to encourage their visitors to easily spread the word about their pages via the social network. You have all seen those hyperlinked icons on websites that can be used to repost certain content on your Timeline in a few clicks. That is exactly the mechanism that the fraudsters have “weaponized.”
After clicking on one of these enticing booby-trapped ads while on Facebook, users are instantly redirected to a deceptive Sharer page that contains a phony account security warning. Specifically, it impersonates a “Facebook Support Team” and tries to dupe the visitor into thinking their account could have been hacked and some suspicious activity has been detected on it. To restore access, the victims are instructed to reach the impostor support agents over phone, with several phone numbers being listed.
If a user is gullible enough to get on the hook, they may actually contact the pseudo support, only to be told to allow the “technicians” to access their computer remotely and allegedly fix the issue. Of course, this is pseudo assistance aimed at installing some harmful software onto people’s PCs.
• Photo API bug allowing malefactors to access users’ private pictures
The API (application programming interface) tasked with handling Facebook user’s photos turned out to have been susceptible to malicious exploitation for nearly two weeks last fall. The bug surfaced in the aftermath of a code update and was in effect from September 13 to September 25 last year.
Normally, apps that require users’ permission to access photos can only “see” the content posted on their Timeline. With the above-mentioned flaw in play, though, these privileges additionally spanned other parts of one’s profile, including Facebook Stories and Marketplace. The most disconcerting upshot of the error was that third-party apps could even access the pictures the users uploaded to the network but did not publish.
Overall, 1,500 apps installed by about 6.8 million people got these extended privileges. Facebook has since fixed the issue and instructed the developers to delete the photos obtained due to the bug.
• Audience selector bug making all new posts public
Last spring, nearly 14 million Facebook users were exposed to a bug that caused all new content they posted to be shared publicly regardless of their preferred “Who should see this?” set-up. This mishap stemmed from a coding flaw and was affecting users between May 18 and May 22 last year.
The feature called audience selector is supposed to allow people to define who can see their posts before publishing new content. There are several preferences to choose from, including “Public,” “Friends,” and “Friends and Connections.” When selected once, the desired option should be automatically suggested for further postings. However, while trying to streamline the process of sharing featured items on one’s profile, Facebook engineers mistakenly caused the setting to become “Public” for millions of users, no matter which option they had previously picked.
Once the issue was discovered, the social network’s technical staff worked to change all posts created during the specified time. The target audience for such content was set to what the users had chosen before. Also, Facebook sent notifications to those affected, asking them to review the items they had shared while the malfunction was in full swing. The company also clarified that the bug had only impacted new posts rather than existing ones. Although the issue has been fixed, the bitter aftertaste perseveres.
• Suspicious content shared without permission
An intricate clickjacking campaign has been circulating on Facebook since late December 2018. It involves a series of funny comics being posted on numerous users’ walls without them actually sharing anything. This content highlights some amusing aspects of relationship between men and women, so a lot of people get curious and click on the pictures leading to a page hosted at s3.amazonaws.com, Amazon’s “simple storage service.”
Before the destination page opens, though, the users get a dialog box that asks them to confirm they are 16 or older. However, the “Yes” button on this popup actually has an obscure application. After clicking it, not only does the victim access the comics page but they also unwittingly trigger a stealth iframe tag that shares the same content on their Timeline without their consent.
Essentially, this is a technique that sprinkles the spam throughout thousands of accounts while bypassing normal permission of the users. The adverse effect of this activity is currently restricted to sharing the humorous content in a sneaky way, but the furtive iframe element may potentially fire up random commands as well, including malware downloads.
• Privacy fiasco over the “View as” feature flaw
As ironic as it may appear, a feature meant to help Facebook users verify their privacy settings turned out to endanger their privacy instead. The incident that unearthed this discrepancy revolved around the “View as” tool. Its purpose is to allow people to view what their profiles look like to others.
A bug discovered in late September 2018 resulted in dropping the wrong digital token onto the devices of “View as” users. It was the code aimed at keeping people permanently signed in to Facebook without having to re-enter their username and password each time. With this cookie-like code on a random user’s computer or mobile gadget, they could access somebody else’s account and even post on their behalf. To add insult to injury, the flaw granted unauthorized access to third-party services where the authentication was performed with Facebook credentials.
The potential attack surface at the time of the incident reportedly spanned about 50 million accounts. Facebook fixed the bug on September 27. They also reset the digital tokens for all of the vulnerable accounts, along with 40 million more that had been potentially exposed to the bug since July 2017 when the exploit took effect.
In the aftermath of these emergency measures, nearly 100 million users ended up being logged out of their accounts. The inconvenience, though, was a trifle compared to the privacy impact that has yet to be assessed.
Why Should Businesses Be Concerned?
What are the risks stemming from known Facebook security issues in the context of businesses? There are a few that should give IT staff a heads-up.
The administrator of an enterprise Facebook account may fall for a clickjacking hoax such as the above comics-themed campaign, only to realize that the dodgy content has appeared on the company’s Timeline without due permission. Therefore, the customers who follow the organization on the social network run the risk of unknowingly joining the fraudulent hype. This predicament may diminish clients’ trust and affect the brand’s reputation.
Tech support scams exploiting the Facebook Sharer page are just as disconcerting for businesses. If an employee gets into the trap while surfing the web from their home PC and provides the crooks with access to the machine to get it “fixed.” the malefactors may install spyware that will allow them to get hold of credentials to log into corporate email and other IT assets remotely.
There is no denying the fact that any digital system is prone to error, both human and machine-level. However, for a social network used by so many people and backed by enormous revenue, security incidents should be the exception rather than the rule. Unfortunately, weak links in Facebook’s security mechanisms continue to surface, allowing perpetrators to steal people’s sensitive data, hack their accounts, and push tech support frauds.
In light on the Cambridge Analytica scandal that broke out in early 2018, Facebook should take user privacy and its own security practices more seriously. Meanwhile, users need to stay vigilant for security vulnerabilities and take steps to protect their valuable personal information.