Yesterday, Facebook announced that it found — and fixed — a stunning security breach that put 50 million people’s accounts at risk. In the words of Facebook executives, the attack was “sophisticated” and its reach was “broad.” And, more chillingly, we don’t know who was behind it or what they intended to do with that account data.
“While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk,” Facebook CEO Mark Zuckerberg said, “the reality is we need to continue developing new tools to prevent this from happening in the first place.”
His sentiment is correct: Facebook needs to prevent these sorts of breaches before they happen. But is that even possible? Can Facebook pre-emptively stamp out every potentially disastrous vulnerability before it’s discovered? Almost certainly not.
Facebook has come a long way since one person could actively manage it from a dorm room. Aaron Chiu, a software engineer for Facebook, noted on Quora that as of five years ago, core Facebook was made up of 62 million lines of code. A codebase that complex requires a great many stewards and the service has only grown more sophisticated since then.
More moving parts means more things that could potentially go awry, but the service’s growing complexity means it’s highly unlikely the company will ever be able to completely secure its products. (When asked if the company felt otherwise, a Facebook spokesperson simply pointed at existing statements.)
It doesn’t help that this breach — one of, if not the, largest in the company’s history — came about through a seemingly unlikely confluence of flaws.
Guy Rosen, Facebook’s vice president of product management, said on a call with reporters earlier today that the breach was the result of three bugs inadvertently working in tandem. The first allowed people using Facebook’s View As feature, which lets you see what a particular friend would see if they looked at your profile, to access a video uploader that they shouldn’t have been able to use.
That uploader is the crux of bug number two: it created a single sign-on token meant for Facebook’s mobile app, not the standard web version. The final bug was arguably most damning: the access token created by the video uploader was for the account being viewed, allowing the attacker (or attackers, we’re not sure) to gain access to a stranger’s profile and repeat the process for that person’s friends.
That’s a highly arcane discovery to make, and had any one of those features worked correctly, 90 million people wouldn’t have to worry about what’s happening with their personal data. If you zoom in on those individual issues, though, they seem relatively benign.
Facebook missing a single huge flaw would’ve been one thing; this breach was made possible by three small ones failing together. These kinds of cascading, co-dependent failures can be difficult to account for, especially when you take into account how frequently Facebook seems to update the components of its service. That’s fair enough: there are a lot of them, after all.
While it might be tempting to assume that a recent management shake-up that left Facebook without a Chief Security Officer didn’t help, the company claims the opposite. Facebook said earlier this year that it has begun to embed security engineers and analysts into product engineering groups to help address new threats, and Rosen told journalists he thinks that move helped internal investigators “find and address” this issue faster.
Rosen also noted that Facebook is gearing up to increase the number of employees working on “safety and security” from about 10,000 to 20,000. Throwing eyes and brains at the problem is certainly a step in the right direction, though members of the security community insist that it’ll take more than just new hires to ferret out flaws.
“It’s not necessarily the number of eyes on a piece of software that matters, but more so the diversity of people probing it,” Malwarebytes researcher Jérôme Segura told Engadget. “This means that internal code review is great but the benefits of having third-party researchers and companies scrutinize it as well is invaluable.”
As this whole debacle has proven, a handful of tiny flaws working in ways no one expects is capable of doing plenty of damage. Thankfully, there are ways for Facebook to get better at addressing the low-hanging fruit: Segura said that code segmentation and compartmentalization, combined with regular internal and external audits, “can actually make the overall product more secure.” Even so, Segura conceded that “complex bugs will always exist.”
For now, all we can do is wait for answers. Facebook is confident that only 50 million users were directly affected by the vulnerability, but the company isn’t yet sure how (or if) those accounts were “misused”.
And considering the scope of this breach and the continued involvement of the FBI, it’ll be a while before we understand the full extent of what those attackers were after and whether they were ultimately successful.
One thing seems clear, though: Facebook is a complex service that stores a lot of valuable, personal information, and it has a target painted on its back. These attacks aren’t going to stop anytime soon, and Facebook won’t be able to fend off all of them forever.