تطوير الموقع الإلكتروني لوزارة الصّحة اللّبنانيّة
Copywriting Tips For Beginners

Facebook’s Latest Breach: They Simply Missed Chained AUTH

I found this interesting article from InTouch, hope you enjoy it
Facebook’s Latest Breach: They Simply Missed Chained AUTH
Facebook’s Latest Breach: They Simply Missed Chained AUTH
As everyone is aware by now, Facebook admitted that around 40 million user accounts were hijacked using what is technically known as “impersonation” through plain old “session hijacking” techniques. Although Facebook insists that the breach was accomplished using a series of related bugs, it is still very obvious that this attack used plain old techniques that the majority of modern frameworks has built-in protection against.

With the above being said, I truly believe that programmers should always keep in mind that even giant platforms, like Facebook, can easily be targeted when programmers underestimate security measures. Understanding security and applying it properly is one of the most important factors that developers tend to oversee or skip or miss simply because they rely on other members doing it.

In reality, the best persons to introduce security into any system are the developers themselves while actually writing their code. The reason is simple: no matter how good the security design is, the real strength of security is within the implementation.


 

How Was Facebook Attacked?


Based on the facts revealed so far, attackers combined two bugs together to gain access to user profiles. The first bug displayed a Video Upload tool on the “View As” page where it shouldn’t be present. When displayed, the Video Upload tool naturally requested an access token. Yet, the “View As” page normally allows users to switch from one account that they own to another account that they own. Using this feature, attackers were able to get access tokens, through the Video Upload tool, that are related to the user being used in the “View As” feature.

By combining both bugs together, attackers were able to get access tokens to any user account within Facebook. This access token gave them access to that user’s profile as if the user himself was logged in and, therefore, revealed all profile information including friends’ list, posts (public and private), etc. to attackers.
 

How Can Programmers Prevent Such Issues?


Any programmer should learn few basic controls that should be implemented into any system:
  • Authentication: this is the process of checking the user’s identity and making sure it is correct. The result is usually either Valid or Invalid.
  • Authorization: this is the process of checking whether users are allowed to do what they are trying to do. The result is usually either Valid or Invalid. Authorization should never be allowed if authentication was not passed in the first place.
     
  • Access Control: this is the main process where the authorization decision is enforced by the application. If the user is not allowed to use the system, he should not be granted any such access.
     
  • Paranoid By Nature: by default, systems should block any access to any system resource unless explicitly allowed. This is much better and much more secure than allowing access, by default, and only blocking sensitive parts. The logic used here is simple: it is much more secure to block access to a legitimate user than to allow access to an illegitimate user.




 

The Solution: Chained AUTH (connecting Authentication & Authorization)


The web is stateless by nature. This means that a user can visit any URL at any time from any other URL. Due to this nature, many systems simply check access tokens within each request being made. This check is normally done in a centralized authorization component that receives the token, validates it and determines whether the user is allowed to do the requested action or not.

Yet, what is usually missed during validation of the token is to check the ORIGIN of the token.

This is exactly the case with Facebook where access tokens were being generated in the “View As” page due to the mistakenly loaded Video Upload tool.




The chained AUTH principle is simple and is a technique that I often explained and taught since 2002. The normal and secure place where access tokens should be generated is right after a successful Authentication process. This means that all access tokens are “created” right there, at that last step within the authentication process.

Therefore, our security system should always include the URL of the page where the access token was generated. This URL is known as the “access token origin” and should be embedded within the access token itself in a signed manner with a valid checksum.

When AUTHORIZING any request made later, the centralized authorization component should check the access token and should check the origin embedded within it. If the URL points to a URL that is different than the last step of the authentication process, the token should be considered hijacked and should be immediately invalidated.

In brief, using Chained AUTH is a very simple technique that protects systems from access tokens that were mistakenly (intentionally or non-intentionally) generated in wrong requests within any web application or mobile application. Facebook simply missed this step which led to breaching 40 million user accounts with all their data.

Comments