Facebook security and privacy issues revealed

Last week, as many as 90 million Facebook users were forced to re-login to their accounts after the social media network admitted it was hacked. Facebook said nearly 50 million of its users were directly affected by hackers stealing access tokens after exploiting Facebook’s code, the other 40 million forced logins were a “precautionary” step.

The buggy code had been around since July 2017, but Facebook didn’t realize attackers were exploiting the vulnerability — the result of three separate bugs — through the “View As” option until this week. The flaw allowed hackers “to steal Facebook access tokens which they could then use to take over people’s accounts.”

Facebook fixed the vulnerability, temporarily disabled the View As feature and contacted law enforcement. At this point in the investigation, Facebook claims it doesn’t know much — like who was behind the attacks and if “accounts were misused or information accessed.”

It also came to light that if you cared enough about security to setup two-factor authentication, then Facebook used those phone numbers to help target ads. Researchers from Northeastern University and Princeton University spelled out the technical details in a paper (pdf), but Gizmodo summed it up as:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all.

If you are looking for the silver lining in that Facebook gloom and doom cloud, then at least Messenger calls aren’t being wiretapped — yet, at least. The U.S. government had tried to force Facebook to wiretap Messenger calls, which are not end-to-end encrypted, but those courtroom efforts failed, according to Reuters.

Other cybersecurity news

Ransomware attack hits Port of San Diego

Following reports of the Port of Barcelona being hit with a ransomware attack, the Port of San Diego admitted that it, too, was a victim of a ransomware attack. It is not, however, disclosing the amount of the bitcoin payment demanded or the ransomware variant used in the attack.

The Port of San Deigo said the ransomware attack “is mainly an administrative issue and normal Port operations are continuing as usual.” The public would feel the impact of the attack when it came to issuing park permits, public records requests, and business services. Some IT systems were compromised, but other systems were proactively shut down “out of an abundance of caution.”

2 Linux kernel bugs

There were not one, but two different Linux kernel bugs that could allow root access revealed last week. First, a local privilege of escalation vulnerability, disclosed by Qualys, could give an attacker “full root privileges.” Details about the second, a use-after-free vulnerability, were released by Google Project Zero researcher Jann Horn. 

In-the-wild UEFI rootkit survives hard drive replacement

ESET researchers revealed details about a UEFI rootkit, dubbed LoJax, which was likely developed by Fancy Bear to spy on governments in the “Balkans as well as Central and Eastern Europe.” The researchers warned, “This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement.”

Telegram patches IP leak

A bug in Telegram desktop clients allowed for the opposite of anonymity, as it was revealing IP addresses. Telegram issued a fix, adding a “Nobody” option so voice calls will not be made via a peer-to-peer connection, and it awarded a bug bounty to researcher Dhiraj Mishra.

Chrome changes mind on auto-login of Chrome 69

Google “appreciated” the feedback from Chrome users and decided against the creepy auto-login of Chrome 69. Chrome 70, coming in October, will reportedly delete all cookies when you attempt it, instead of keeping Google cookies in play.  

Careful with what you tweet

This reminder comes from the Securities and Exchange Commission (SEC) after Elon Musk agreed to step down as chairman of Tesla and fork out a $20 million fine to settle charges brought by the SEC. In August, Musk tweeted that he could take Tesla private at $420 a share; Bloomberg reported that the false assertion was really about weed and impressing his girlfriend, the rapper Grimes.

SEC’s Steven Peikin said, “While leading Tesla’s investors to believe he had a firm offer in hand, we allege that Musk had arrived at the price of $420 by assuming 20 percent premium over Tesla’s then existing share price then rounding up to $420 because of the significance of that number in marijuana culture and his belief that his girlfriend would be amused by it.”

Tim Berners-Lee proposes plan to start new internet

Tim Berners-Lee, the dude who invented the World Wide Web, has a plan to fix it, as users have little choice in handing over their personal data to tech giants. He wants to give users back the control of their data with an open-source projected dubbed Solid.