Hello, welcome to the Tuesday, October 2, 2018 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Honolulu, Hawaii.

Facebook published a blog post with a bit more details about which vulnerabilities exactly were exploited in order to gain access to

these 50 million accounts that I talked about yesterday. The exploit was a bit more complicated

than what I envisioned. So first of all, it all starts out with viewing your own profile as a

different user. In this mode, you're supposed

to only be able to view your profile not to make any changes to your profile. However,

turns out there was one particular feature, and that's when you upload a video to user's

account to wish them happy birthday. That was still available,

so now you were able to upload a video to your own page while you were using this view as feature.

The access token created when you're doing so had two important flaws. First of all, this access token was created

for the user that you were impersonating. So that's essentially now how you got access to this

user's data by using this access token. But the other problem was that this token was really only

supposed to allow you to upload the video.

Nothing else.

Well, in addition, it was actually possible to use that token to use the mobile Facebook app.

So this is how the attackers were able to gain access to users' profiles.

At this point, Facebook states they're still investigating, so they're still

not 100% sure how many accounts were actually affected and what exactly was done with data or what

was done to these accounts. Personally, I actually think it's nice of Facebook to provide some

details about how these attacks work.

Certainly, it doesn't look like a very simple flaw and something that probably took some work to really figure out how to exploit this vulnerability.

...