The Massive Facebook Hack May Have Spread Further Than Facebook
Last Friday's Facebook hack affecting 50 million users drew all the condemnation and blame you'd expect from another high-profile security breach, but the attack wasn't merely confined to Facebook. Many of the third-party apps that people log into via Facebook were potentially caught up in the mess as well.
By exploiting the social network's code and obtaining access tokens to commandeer Facebook profiles without a password, hackers made ample use of Facebook's Single Sign-On (SSO) feature and potentially scores of data stored on different websites.
SSO is the easy and increasingly common way to log into apps like Spotify, Tinder and Airbnb with your Facebook profile, in lieu of creating multiple passwords for every account. It's a quick and convenient method for managing multiple passwords, but it can also make those accounts more susceptible to hacks, as last Friday's episode illustrated.
The company's vice president of product, Guy Rosen, laid bare the potential ripple effects in a conference call with reporters last week: “The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login,” Rosen said, according to Wired.
In essence, SSO makes your Facebook profile an all-access key that opens tons of doors across the web. So far, neither Facebook or any third-party sites have confirmed the hack spreading onto other platforms.
The issue speaks to the far-reaching consequences of the second major breach endured by Facebook in a calendar year. It also hints at a glaring problem with digital security in general: Facebook has fashioned itself the identity broker for much of the internet and currently, it doesn't appear to be working so well.
Similar episodes have occurred on major social media platforms: Last year, a Twitter app was breached by similar means, illustrating how hackers can intercept your accounts without a password.
According to a recent study from the University of Illinois at Chicago, Facebook is the largest originator of SSOs on the internet, beating Google and Twitter, respectively. The company's broad influence, coupled with its inability to quell major attacks, doesn't really inspire faith in a world where this won't happen again.
Source: Wired
No comments: