After the biggest attack on Facebook in history, no one knows how many hacked accounts were also used to register for services such as Uber, Instagram, Pinterest or Spotify. Facebook has not mentioned them, but their number could exponentially multiply the size of the disaster, which has been encrypted in more than 50 million affected profiles.
“I’m going to stop using Facebook to register for online applications and sites, and you should do the same,” said technology and business journalist Farhad Manjoo in his weekly New York Times column. He is not the only one who has expressed in the media or social networks his newborn distrust towards this form of registration, after discovering that Facebook is not invulnerable.
And there are more than 100,000 websites that allow this form of registration, baptized as Facebook Connect when the company launched it in 2008, with such success that soon joined others such as Google or Microsoft. Today it’s called Facebook Login and it’s a much easier way for users to register because they don’t have to invent or memorize new passwords: they come in with their Facebook credentials and they’re the only ones they have to remember.
“It’s what’s called a federated identity,” explains Securízame’s Technical Director, Lorenzo Martínez. The process is simple: “A user requests to log into a ”A” server using a valid Facebook session, and Facebook asks the user for express permission to do that authentication, so that the user will appear on server ”A” as authenticated by a foreign system, but it will be enough,” explains Martinez.
It is as if Facebook had put a lock of its own on the door of these thousands of services, so that people who have a Facebook key could enter through it. The problem is that this key can fall into the hands of thieves and, although it was known that there were sporadic attacks of identity theft, nobody had imagined a scenario with the dimensions of the current millionaire theft of Facebook accounts.
The social network has not mentioned at any time if they were affected by this way, but according to Lorenzo Martinez “it makes sense that there are because the security failure of Facebook was based on the generation of ‘tokens’ that allowed impersonate a user and it makes sense that they can be reused. A token is a computer “key” that stores the user’s passwords for that particular session.
With this key the thieves have access not only to Facebook but to all the services in which we have registered using the same key, with the level of control that any legitimate user would have. This means they could destroy or modify whatever they want, for example dates of stay in an AirBnb apartment, a plane ticket on Expedia or an appointment on Tinder.
More sophisticated attacks could also be carried out, using user sessions to attack the corporate network. Already in July 2017 this tragedy was being masked, when it was discovered that it was possible to create Facebook ‘access tokens’ by exploiting three security flaws and using them to register on third party sites. What was not known was that they could also steal them.
Facebook says it has forced 40 million users to log out of their accounts and renew their credentials, but has done nothing about third party registrations, which will have to space themselves. According to The New York Times, Uber is asking some users who entered via Facebook to leave their website and register again, to invalidate the old access tokens that could remain active.
“I think it’s a good thing that the user is being forced to authenticate again in third-party applications that make use of these tokens,” says Martinez. The expert warns that the same thing that has happened with Facebook can happen if we register via Google or others: “In the end is the same, no organization is free to suffer a security breach.
The most recommended alternative, he says, is to have an email account to register on these sites and save the passwords in a password manager. In the same way, he recommends: “In those sites that allow a double authentication factor, activate it”. Another option, for sites that only allow registration with Facebook or Google accounts, is to “have an account in a social network that you only use to authenticate yourself on these sites and do so from a browser that you only use to access these sites with this account”.