Facebook disclosed yesterday afternoon that an attacker had exploited a chained vulnerability in the company's View As feature to obtain access tokens for approximately 50 million user accounts (Facebook newsroom post by Guy Rosen, September 28). The attack mechanism, on Facebook's preliminary description, combines three distinct flaws: a bug in the video-upload component used by View As that produced an access token under the wrong user's identity, a bug that caused the token returned to be a long-lived rather than a short-lived token, and a bug that returned the token of the wrong user when the View As mode was used to inspect the page from another user's perspective. The combination produces full-account access tokens for the visible-as user, and the attacker iterated this technique against approximately 50 million accounts before detection.
The technical detail is interesting because the individual bugs are subtle and the chain is not obviously stitchable from any single one. Facebook's own engineering review on Tuesday discovered an "unusual spike in users" doing the View As action, which led to the investigation that found the exploit. The discovery-to-disclosure window was three days, which is well within GDPR's 72-hour requirement (Facebook is, of course, the kind of large data controller for whom GDPR compliance is a substantial operational machinery rather than a programme to be implemented).
The affected population includes EU residents in numbers that are not yet publicly broken down but are, on Facebook's user-distribution, certainly in the millions. The Irish Data Protection Commission, which is the lead supervisory authority for Facebook under the GDPR's One-Stop-Shop mechanism, has opened a formal investigation and has asked Facebook for additional information on the affected EU population, the technical mechanism, the remediation actions, and the company's compliance posture against Articles 32 (security of processing) and 33 (notification of breach) (Irish DPC statement on Facebook investigation). The investigation is the largest GDPR enforcement action so far, and the eventual outcome will set precedent for Article 32 enforcement against major platforms.
The third-party-application implication is the part of the story that has been less widely reported. Access tokens for Facebook accounts can be used not only against Facebook itself but against any third-party service that supports Facebook Login — many thousands of services across the consumer internet. An attacker holding a long-lived access token for a user's Facebook account can, depending on the token's scopes and the third-party service's session-management posture, log in to those third-party services as the user. The blast radius of the 50 million tokens is therefore substantially larger than just Facebook. The remediation — Facebook is invalidating the affected tokens, which forces re-authentication for the affected users on Facebook and on the third-party services that rely on Facebook Login — is the right action and is being executed. The customer organisations that use Facebook Login as a customer-authentication mechanism are seeing the customer-side re-authentication wave land this week.
For the customer briefings, the Facebook incident has produced two specific conversations. First, with customer organisations using Facebook Login or any other social-login mechanism, the question of trust dependency on the platform's security posture. Social login is a convenient mechanism for reducing friction at the customer-acquisition stage; the security-architectural cost is that the customer organisation's authentication trust is, in part, delegated to the social platform. The Facebook incident demonstrates that the delegated trust is, on occasions, a liability. The remediation — fall back to platform-managed credentials when the social platform's authentication is compromised — is operationally awkward and not always well-implemented. Customer organisations are being asked to review their session-management posture for social-login-derived sessions specifically.
Second, with customer organisations whose own platforms use access-token-based authentication models, the question of token lifetime and scope management. The Facebook chain involved a long-lived rather than a short-lived token being returned in a context where a short-lived token was the design intent. The discipline of token-lifetime management — short by default, scoped narrowly, refreshable rather than long-lived — is a category of architectural hygiene that customer-organisation API designers have not always prioritised. The customer-organisation review of API token issuance against the lifetime-and-scope discipline is a useful exercise that I am pushing on several customer engagements this week.
The GDPR enforcement question that the Irish DPC investigation will eventually answer is what Article 32 looks like in practice for a platform of Facebook's scale. The article requires controllers to implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk", and the assessment of appropriateness against Facebook's risk profile is a substantial interpretive question. The outcome will be the most consequential GDPR enforcement action to date and will shape supervisory expectations for major platforms across the EU. The British Airways case will produce its own enforcement output in due course; the two together — BA and Facebook — will define the early GDPR enforcement precedent for the consumer-data sector.
The personal note on this is that the Facebook case continues the pattern of platform-level disclosures that, since the Cambridge Analytica reporting in March, have been re-shaping the political conversation about platform regulation. The European Commission's e-Privacy Regulation, which has been in slow legislative progress for some time, is going to attract more political weight after the autumn. The US-side regulatory conversation, which has been slower to move, is also picking up. The next 18 months of platform-regulation legislative activity in multiple jurisdictions is going to produce a substantial new body of law that customer-organisation programmes will need to absorb.