It has been reported that Facebook has found a security flaw in almost 50 million accounts that would allow hackers to take over people’s profiles, an additional blow to the social network’s record on privacy.The disclosure prompted new threats of investigations into the social network by at least one state attorney general and by Irish authorities who protect the interests of European users.
Commenting on this, Dan Pitman, principal security architect at Alert Logic, said “The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements.
Facebook has identified this was a vulnerability in its website code that allowed the attacker to gain authenticated access, which then allowed them to get effective access permissions for a huge number
s of users, giving the attacker the ability to access those users’ accounts as if they were the user themselves. Forcing a logout on the users changed the access keys to help ensure no use of them remained.
They will be working to establish if any of these accounts were actually accessed and what personal data may have been lost, especially in the case of high profile users.
New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.
This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge. The applications are made up of components built by different developers at different times working based on older best practices, all of this means that vulnerabilities are an inevitability. In Facebook’s case, there will be people working hard to identify flaws in both trenches and this time the attackers got there first.”