Monday, October 1, 2018

Latest Facebook breach piles on India worries

BENGALURU: Many Indians on Facebook are likely to be among at least 50 million victims of a breach that exposed accounts and their linked third party apps to hackers, say security experts. It adds to the social network’s mounting woes in its largest market. Experts say the impact could be far-reaching because beyond Facebook, hackers could have accessed any account logged into using Facebook. In India, Facebook’s single sign-on feature allows users to log into third party apps such as Swiggy, Zomato, BigBasket, Hotstar, Tinder, Nykaa, SonyLIV, RentoMojo, FreshMenu, Chai Point, Quora, Snapchat, HealthifyMe, and Dominos, among others, without creating a unique profile for each one. The social network had about 270 million users in India at end of July, according to Statista website. “Many of the affected parties could be from India,” said Anand Prakash, founder of cyber security startup AppSecure. “Even my Facebook account got compromised (logged out). I am not sure what kind of data was accessed by the hackers.” 66021766 While Facebook has informed law enforcement authorities in the US and communicated the breach to the Irish Data Protection Authority too, ET could not verify if any Indian authority has been notified. Facebook India declined comment, directing queries to its global office. The company is already the subject of a preliminary enquiry by the CBI in connection with the Cambridge Analytica scandal. It also faces severe criticism here over use of its platform to spread fake news. Facebook India vice-president and managing director Ajit Mohan will have to tackle these challenges head-on when he takes charge next year.The appointment of Mohan, Hotstar’s former chief executive, was announced last week after about a year without an India head. In the latest Facebook breach, attackers exploited a vulnerability in the code of the ‘View As’ feature that lets users see what their profiles look like to others. Facebook has now fixed the vulnerability and launched an investigation. It also logged out the 50 million affected users and an additional 40 million after the reveal. “We cannot say with absolute surety what went wrong until Facebook shares more information,” said Prakash. In a special conference call, Facebook founder Mark Zuckerberg said, “The vulnerability allowed the attackers to steal Facebook access tokens—the equivalent of a digital key-—which they could have used to take over or access people’s accounts.” The company did not reveal whether these hacked accounts were misused. Preliminary investigation show these tokens were used to access posts, private messages or let the hackers post anything on the accounts. The hackers also tried accessing profile information such as name, gender, location and photos from compromised accounts. “Facebook users do not have to change their username and password; those weren’t compromised,” said Rahul Sasi, chief technology officer, CloudSek, a Bengaluru-based cybersecurity company. “The access tokens have been compromised and Facebook has force re-set access token now.” Cybersecurity and privacy researcher Dr Lukasz Olejnik warned about a potential wider impact. “There is a potential risk of a second tier leak… It is too early to reason about the extent of any possible leaks but access tokens, in principle, allow total control over user accounts, possibly also involving third party apps where the user has been logged via Facebook login,” said Olejnik. It is unclear how long the hackers will be able to use the access tokens to get into third party apps. Facebook has not offered details on what kind of data could have been compromised from third party apps.

from Economic Times https://ift.tt/2NTnoRF

No comments:

Post a Comment