Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Users may do a variety of things to protect their passwords—they may use complex passwords, change their passwords frequently or use different passwords for different sites and applications. But passwords are not the only way for a hacker to access someone’s private account, as was shown by the recent Facebook breach, which is believed to have affected about 50 million accounts, in the widest-reaching cybersecurity incident the social network has seen yet.  

Instead of stealing users’ self-assigned credentials, the yet-unnamed hackers stole another kind of token, which is used to keep users continuously logged in on their devices, and which was leaked due to vulnerabilities in Facebook’s code. With this token, created in the background for users’ convenience, attackers could control a victim’s account almost as if they had the password—they could view the victim’s private messages or make posts from the victim’s profile, according to the Associated Press, although Facebook CEO Mark Zuckerberg said there was no sign the attackers did either.

This week I discussed the breach with Dr. Ray Klump, professor and chair of computer and mathematical science at Lewis University, who is also the director of the Master in Science in Information Security at the school. Klump said the tokens that keep users conveniently logged in played a role in making them vulnerable to the breach.

“Convenience is security’s kryptonite,” Klump said, in a statement about the breach.

3-Part Loophole Exposed Access Tokens

Facebook’s official statement following the breach, posted Sept. 28, explained that three “bugs” in the site’s code interacted to leak the log-in access tokens to the unknown attackers. The first bug involved the social network’s “View As” function, which lets users see how their profile appears to another specific user on the site. Normally, users couldn’t post to their profile from that “view-only” mode, but the first bug made the function for wishing a friend happy birthday active from the “View As” interface.

The second bug involved the video uploader that would appear to the user when they selected the erroneously active “happy birthday” function. The video uploader, a newer version that was updated in July 2017, contained a bug that caused it to generate an access token, which could then be viewed in the HTML of the page.

The third bug allowed the breach to spread from profile to profile, which ultimately snowballed into the enormous 50-million-account scope of the attack. Instead of generating an access token for the account of the user accessing the “View As” mode, it generated the token for the other person the user was viewing their profile as.

For example, if I wanted to know how Mark Zuckerberg would see my profile, I could use the “View As” function to find out, then access the “happy birthday” video uploader, which would leak to me Mark Zuckerberg’s own access token. As it happens, Zuckerberg’s own account was one of the millions compromised, the AP reported.

“It is interesting to note that this vulnerability impacts a feature Facebook had added to protect user’s privacy,” Klump said. “More rigorous and more frequent testing that considered specifically how tokens could be stolen would have helped prevent this attack. Token theft must be part of all code tests Facebook performs for future features and modifications.”

Facebook says the flaws in the site’s code have been fixed, and all the affected accounts, as well as an additional 40 million accounts for which “View As” mode had been used, have been logged out, resetting the stolen access tokens.

More Tokens, More Problems?

While the main cause of the breach was the 3-hit combination of bugs described above, Klump expressed concerns about the cost to cybersecurity posed by convenience features such as access tokens that more-or-less serve as a substitute for log-in credentials when users want to stay logged in long-term. He described two ways that sites like Facebook implement such tokens, the first way designed to prevent cross-site request forgery (CSFR), in which a malicious site leverages a victim’s established access to another site to launch a request that appears to come from that user.

“A user is given a unique, very-long string that is granted at the time they initially connect and cannot be transferred from one site to another,” Klump explained. “I imagine Facebook used some variation on CSFR tokens for its site, but implemented it wrong when it came to the ‘View As’ feature that was exploited in this breach.

“A less secure way to implement these access tokens is to store them in cookies, which are little files that your browser uses to record your information so that you don’t have to re-enter information into sites you’ve visited before,” Klump continued. “If they aren’t properly protected, data stored in cookies can be read and transmitted to site that shouldn’t have them. That is called a cross-site scripting attack, and they can be pretty easy to perform.”

The use of Facebook to authenticate many third party apps raised concerns that these apps would also be affected by the breach. Facebook said on Sept. 31 that third party apps, including the Facebook-owned Instagram, could have been affected, according to the AP, though they said in an Oct. 2 update that they found no proof so far that hackers had accessed any of these apps.

Third party authentication is another convenience feature that can pose security risks to users. Last spring, a token-based authentication protocol called OAuth, which allows third party apps to access information from one’s profile with one click, was leveraged in a Google phishing scheme. OAuth also played a part in the Cambridge Analytica scandal earlier this year, with the analytics firm gaining permissions through an app and harvesting more data from profiles than users were aware of.

In many ways, users may exchange security and privacy for faster and easier access to all their sites and apps. But finding a better balance between speed and safety could protect more users from falling victim to similar breaches in the future.

Learning From the Latest Breach

Though these aforementioned tokens and protocols may open up some new avenues that hackers can take advantage of, the convenience they provide is still in high demand on sites like Facebook and Google.

“The industry has become increasingly and painfully aware of the tug-of-war between security and convenience, but they are unwilling to sacrifice convenience, because their users demand it,” Klump explained. “So, the industry has to become more expert and vigilant on testing software rigorously and frequently after all changes and feature additions, and it must constantly look to expand its repertoire of tests as new exploits arise so that we can learn from attackers’ past success.”

Users can also learn from this event, and take steps going forward to make their accounts less vulnerable. Users may not be able to change and customize their access tokens in the same way they can change and customize their passwords, but they can reduce how much they rely on keys that grant ongoing account access.

“A user could avoid relying on tokens by not checking the box to stay logged in to Facebook or other apps. However, that will get very annoying rather quick, particularly on a phone, because the user will then have to log in every time they open the app,” Klump said. He then offered a compromise.

“A better option would be to make sure they log out once a day, which means they’ll have to log in the next time they use the site,” he concluded. “I think most people can live with logging in once a day.”