Profile picture
jason polakis @jpolakis
, 20 tweets, 5 min read Read on Twitter
Given the scale and severity of the @facebook breach, I’ll share some thoughts based on our recent @USENIXSecurity paper with @m0eb1t, amrutha, @kaytwo, @stevecheckoway, where we explored the ramifications of your Facebook account being compromised. cs.uic.edu/~polakis/paper… (1/n)
There are many nuanced and not-so-obvious issues that arise due to how Single Sign-On functionality interacts with local account management on 3rd parties (referred to as relying parties in the context of SSO). Facebook's current actions do not prevent these attacks (2/n).
In our experiments we demonstrated how the Facebook iOS app was exposing the session tokens over unencrypted connections, while in this attack the root cause is a complex combination of three different bugs as explained here: newsroom.fb.com/news/2018/09/s… (3/n)
An unexpected finding during our experiments was that when attackers use hijacked FB tokens (i.e., cookies) to access the user’s FB account, the attacker’s session *didn’t* show up in the list of active sessions if the attacker stayed connected for less than 60 mins. (4/n)
As such, looking at the active sessions would not alert the user of the ongoing attack. If this hasn't been fixed by Facebook since our experiments, current advice about looking at active sessions will likely not help you. (5/n)
Another very critical yet overlooked problem is that the stolen tokens can be used to obtain access to a user’s account on other websites that support Facebook SSO *even if the user doesn’t use Facebook SSO* to access them. This depends on 3rd party implementations. (6/n)
Depending on how a site implements local account management, in some cases attackers can gain access to users' 3rd party accounts that haven't been associated with their FB account. In other cases the attacker is simply presented with a new account (under the user's name). (7/n)
While not applicable here, 3rd parties can "instruct" FB during SSO to make users first re-login w/ their password (thus preventing attacks using stolen cookies and not passwords). We found that the vast majority of 3rd parties do not “instruct” FB to make the user re-login (8/n)
More importantly, once attackers gain access to those 3rd parties, they can maintain access to user accounts in those websites using the cookies set by those sites. No matter what FB does, they can’t do anything to prevent attackers’ from accessing those accounts. (9/n)
In our paper we describe various attacks that take advantage of the interplay between SSO and local account management for stealthy and long-lasting access to those user accounts. (10/n)
To make matters worse, we found that the majority of popular sites that we audited, don't offer session management options for terminating active sessions and invalidating cookies. Users currently lack ways to recover from their accounts being hijacked on many 3rd parties. (11/n)
The sheer number of 3rd parties that support FB SSO further exacerbates the issue. Manually going through the account settings of dozens or potentially hundreds of 3rd parties, or contacting customer support in each case, is infeasible. (12/n)
In a less obvious attack, we demonstrated how attackers can use the FB token to create accounts for the user on websites where they don’t have an account already; this could be used for a variety of attacks from spam/phishing to identity-related scams. (13/n)
More surprisingly, attackers can set a long-term trap and wait for users to create an account on those sites and start using them in the future. For instance, attackers might be particularly interested in the user data or account functionality offered by popular website X. (14/n)
Even if the user doesn’t have an account on X, attackers can create the user’s account on X using FB SSO, and wait for the user to join X in the future. Given the nature of SSO, the pre-existence of that account won’t be apparent to the user upon joining. (15/n)
To mitigate these attacks, we proposed an extension to OpenID Connect for universally revoking access: it allows identity providers (like FB) to instruct all 3rd parties associated with a compromised account to terminate all active sessions and invalidate passwords. (16/n)
Overall, I’ve omitted a bunch of details from our paper, but this incident has greater and more long-lasting security and privacy implications than what is being currently reported and users should be extremely cautious about suspicious activities across all their accounts (17/n)
We hope that this incident will incentivize major vendors to better address the shortcomings of current SSO schemes, more thorough evaluation of authentication implementations in practice, and the adoption of our proposed defense.
As shown by this incident, authentication and access control flaws can manifest in complex ways and have implications across many different websites. (19/19)
To clarify: our research goal is to highlight the implications of SSO in general. Our findings are not limited to FB, but apply to any identity provider. Apart from exposure of FB tokens, the 3rd-party issues we reported rely on implementation issues in those sites, not in FB.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to jason polakis
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
So #Facebook & #Instagram (second time in 3 weeks) deleted my accounts. For sharing information about #Kashmir. No explanations or replies to my questions are given. Of course this is not about Facebook, nor about me, but the much more dangerous path SM is taking.
It is all about Justice & about what is happening to many people living under oppression & facing severe surveillance & suppression on the ground and even online.
It is about principals & rights. Human rights. Enshrined in statues & bragged about. Said to be universal. Said to be
I don't know ONE Kashmiri who hasn't been subjected to some form of censorship. On the ground there are far worse consequences than removed posts. Journalists (and MANY civilians) have been trashed, arrested & targeted when covering human rights violations by India.
Read 15 tweets
Profile picture
We have begun collecting all human behaviour and putting the machine in between human beings and every transaction in life. In doing that, we are increasingly operating our society on a new basis.
The omnipresent smartphones and digital businesses around us have caused a permanent shift in our societies.
We are now operating with a new form of social science that we don't understand yet, but which we are already using in much the same way that physics was used to change European society in the 17th and 18th centuries.
Read 18 tweets
Profile picture
Good one, will share my thoughts based on 15 plus years in RE business:
@TraderEQFX @Wealth_Park @valueshadow @rohitchauhan
1) RE is not dead (as some think), it will continue to be there in future in one form or another. Yes, developers will consolidate, business model will change/evolve.
2) Masses are not "value investors". ppl still want to own homes and invest in something where they can touch/feel. Masses are still not comfortable putting big chunk in equity markets regardless of RE returns.
Read 13 tweets
Profile picture
PM of Malaysia, Tun Dr. Mahathir Mohamad @chedetofficial speaking on 'Future of Democracy in Asia' at Chatham House, London today. @501Awani
"I may be accused of being a dictator, but I like to differ. And today, a dictator will talk about democracy." - Tun M said, to a roar of laughter from the crowd at Chatham House.
"Democracy is not something easy to handle. The basic rule is that the majority of people have a right to choose their leaders. If you want to make a government work, you need to have a certain kind of discipline."
Read 28 tweets
Profile picture
THREAD

Breakdown of #CambridgeAnalytica whistleblower testimony to House of Commons in the #UnitedKingdom
1.#Wyile testifies that #CambridgeAnalytica is a shell company owned by Robert #Mercer, #Mercer created #CambridgeAnalytica to provide cover for #SCL Group,its parent company and its operations.
He describes #CambridgeAnalytica and #SCL group as Military Psy Ops.
2.#Wylie explains RIPON operation, RIPON used “data exhaust” to build psychological profiles in coordination with Cambridge University faculty. it creates modern day colonialism, harming fragile democracies, works illegally, without morals.
Read 44 tweets
Profile picture
With all the concern over Facebook Privacy being highlighted with the recent Cambridge Analytica investigation, I thought I'd share some tips on how to 'clean up & crack down' on your Facebook profile. #CambridgeAnalyticaUncovered #Facebook
The obvious thing to do is shut down your profile. However, DEACTIVATING your profile does NOT delete your data. Facebook retain that in case you decide to return. This is an important distinction: if you just want to deactivate - Settings -> Manage Account -> Deactivate
If you want Facebook to delete your data, you need to go to facebook.com/help/delete_ac… - however you may want to archive your old photos and data before doing so, and to be doubly sure, you'll want to manually unlink the external apps and delete your posts and likes.
Read 12 tweets

Trending hashtags

#Kosinksi #Nix #humanrights #FreeKashmir #Facebook #Putin #MOG #Thiel #Kogan #climatechange #ArtificialIntelligence #Russians #Instagram #Zuckerbergtestimony #Committee #CambridgeAnalytica #thoughts #GCHQ #Kavanaugh #Zuckerberg #EB5 #menlopark #CambrigeAnalytica #Theil #LeaveEU

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!