National Cybersecurity Awareness Month (NCSAM) just ended but being cyber aware continues to be a 24/7 priority that is everyone’s responsibility. As the National Cyber Security Alliance shared during NCSAM, “In these tech-fueled times, our homes, societal well-being, economic prosperity and nation’s security are impacted by the internet.”
The veracity of that statement was proven by the recent Facebook hack; it not only dominated the news, but also had hundreds of millions of people worried their accounts were compromised or being duplicated. The hack, which the company called a “major security breach,” allowed hackers to get into and take control of millions of accounts through a video application vulnerability that duplicated the users’ access tokens. While we may never know why the hackers wanted in, we do know that a few simple pre-deployment cyber review steps could have detected the vulnerabilities and protected Facebook users, according to Bryant G. Tow, Managing Principal of CyberRisk Solutions.
“The failure at Facebook was the implementation of a video upload feature without proper diligence,” he explained. “If it had been a part of their security ecosystem to check the code prior to deployment, then it is highly likely that this vulnerability would have been identified.
“Any basic code review software would have spotted it, because the fact that a token could be accessed would be a huge red flag.”
As Tow explained, there was no reason for an access token to be in a video uploader, and he speculates that it was being repurposed.
“Sometimes, when software or an application is being repurposed, it doesn’t get looked at as thoroughly as it would if it was new,” Tow said. “That’s where a true security ecosystem that includes reviewing and running every software or application through security testing prior to deployment becomes a necessity.”
As he pointed out, pre-deployment review and testing should be “standard operating procedure” for every company. “That did not happen with Facebook, or somebody would have said, ‘Why are we pulling authentication through this video upload if we already checked credentials?’”
The well-documented fix was logging out of Facebook and logging back in, which would have created a new authentication for an account. Tow suggests that everyone take protection a step further, however.
“Facebook users should go to their security settings and do a quick review. Most people will be really surprised to find that every access token they ever created is still there,” Tow said. “Basically, your entire history of where you generated an access token will be there, and you will need to clean those up.”
Because we use the internet for almost every aspect of our lives – from working to socializing – being aware of vulnerabilities and knowing what you can do to stay secure will help you get a step closer to the well-being noted by the National Cyber Security Alliance.