(Polakis says that based on his research, it isn't.) The extent of the damage that was already done over the 14 months the vulnerability was active is still unknown.
"While we haven't seen evidence this exploit was used on our platform, our security teams and systems are constantly looking for potential issues and will notify users when we detect suspicious activity on their account," Ensign says.įor now, Facebook is looking into whether the access token reset is enough to prevent the attackers from accessing these third-parties going forward. According to spokesperson Melanie Ensign, that means anyone who logged onto Uber with a new device, though it's unclear in what time frame. Uber, for its part, said it has revoked the tokens for accounts that the company believes could be at risk. WIRED contacted several developers for comment, including Strava, Tinder, Expedia, and Airbnb. If an attacker tries to log onto that same website using Facebook's Single Sign-On, the researchers found that some sites-including fitness app Strava-will associate the two accounts.Īt the time, the findings were unnerving. Say, for example, you logged onto a website with the same email address that's associated with your Facebook account.
But if the attacker has already reset the email address on that site, they're just routing the password reset email to themselves.įacebook's Dormer says the company advises developers on “best practices,” and is currently “preparing additional recommendations for all developers responding to this incident and to protect people going forward.”īut perhaps the most staggering finding in the paper is that people don't necessarily need to have logged into third-party sites with Facebook to be exposed. The rest require the attacker to conduct a formal password reset. They found that out of 29 sites, 15 allow attackers to change an account’s email without entering a password of those, six allow the password to be set without entering the old password. Polakis and his team also analyzed a subset of the sites to see what happens when you change the user’s email address or password on those third-party sites. This not only makes the perpetrators hard to catch, it can make it nearly impossible to cut them off. In fact, of those 95 sites Polakis and his coauthors studied, only 10 offer some way to purge sessions. Nor do they all provide ways to clear active sessions. But not every website offers such a digital trail. Facebook, for instance, has recommended that users look at “active sessions” as a way to spot any unauthorized access. Third-party sites could also let users view activity on their accounts.
Even more staggering: You could be at risk even if you've never used Facebook to log into a third-party site.
Instead, hackers could potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace. If they had taken more care with their implementation of Facebook's Single Sign-On feature-which lets you use your Facebook account to access other sites and services, rather than creating a unique password for every site-the impact could have largely been limited to Facebook. Some of the web’s most popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack, according to a recent research paper out of the University of Illinois at Chicago. But what makes it so much worse is that fixing the issue is, in many ways, out of Facebook's hands. Facebook has received ample blame for the historic data breach that allowed hackers to not only take over the accounts of at least 50 million users but also access third-party websites those users logged into with Facebook.