The most recent Facebook hack is way worse than you probably realize

Archive
1 min read





jason polakis@jpolakis

 · Sep 29, 2018




Replying to @jpolakis

In our experiments we demonstrated how the Facebook iOS app was exposing the session tokens over unencrypted connections, while in this attack the root cause is a complex combination of three different bugs as explained here: https://newsroom.fb.com/news/2018/09/security-update/#details  (3/n)












Security Update | Facebook Newsroom
We're taking this security issue incredibly seriously and wanted to let everyone know what's happened.

newsroom.fb.com










jason polakis@jpolakis




An unexpected finding during our experiments was that when attackers use hijacked FB tokens (i.e., cookies) to access the user’s FB account, the attacker’s session *didn’t* show up in the list of active sessions if the attacker stayed connected for less than 60 mins. (4/n)

12:48 PM - Sep 29, 2018



239


156 people are talking about this

  • “Check “Where you’re logged in” for suspicious sessions. If you see any, click the dots beside the session and then click ‘Not You?’ to report it to Facebook.
  • While there, you can get notifications if someone tries to access your Facebook profile in the section titled ‘Setting Up Extra Security.'”

Published October 9, 2018

Join the discussion — please keep to our Community Guidelines.