Security Newsletter
8 October 2018
Facebook got hacked: 50 million accounts accessed
On the afternoon of Tuesday, September 25, Facebook engineering team discovered a security issue affecting almost 50 million accounts. Attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
In a conference call with reporters, Facebook vice president of product Guy Rosen shared a few more details of the breach: Facebook Detected Breach After Noticing Unusual Traffic Spike; Hackers Exploited Total 3 Facebook Vulnerabilities; Hackers Stole Secret Access Tokens for 50 Million Accounts but they reseted access tokens for 90 millions accounts to be safe; Your Facebook Account Password Has Not Been Compromised; Hackers Downloaded Users' Private Information Using Facebook API; Your "Logged in as Facebook" Accounts at 3rd-Party Apps/Websites Are At Risk; You should Check Active Sessions on Facebook to Find If Your Account Have Been Hacked
Warning: Attackers behind the recently revealed Facebook mega-breach may still be able to access victims' accounts at third-party web services and mobile apps, and Facebook has offered no timeline for when that might change. Here's the problem: Whoever hacked Facebook stole single sign-on access tokens - and thus access - to at least 50 million accounts, which also gives them access to the hundreds of third-party services and mobile apps that accept victims' SSO authentication, dubbed Facebook Social Login or Facebook Login. Facebook found no evidence "so far" that proves such claims.
Unfortunately, Facebook now says that while it can reset access tokens, it cannot guarantee that all third-party services that accept Facebook Social Login will honor these token-reset requests. This corporate approach, in fact, appears to mirror precisely what got Facebook into the Cambridge Analytica data scandal mess. Simply put, Facebook wasn't policing how third parties accessed, processed, used or sold Facebook users' data.
Official statements from Facebook
Even More on BankInfoSecurity
10 important updates on TheHackerNews
Phishing Attack Uses Azure storage to Impersonate Microsoft
Even though phishing attacks can be quite convincing, a give away is when diligent users notice that the login form is unsecured, the URL is not right or the SSL certificate is clearly not owned by the company being impersonated. A new Office 365 phishing attack utilizes an interesting method of storing their phishing form hosted on Azure Blob Storage in order to be secured by a Microsoft SSL certificate.
Azure Blob storage is a Microsoft storage solution that can be used to store unstructured data such as images, video, or text. By storing a phishing form in Azure Blob storage, the displayed form will be signed by a SSL certificate from Microsoft. This makes it an ideal method to create phishing forms that target Microsoft services such as Office 365, Azure AD, or other Microsoft logins.
In these attacks, bad actors are sending out spam emails with PDF attachments. These attachments are named "Scanned Document... Please Review.pdf" and simply contain a button to download a supposed PDF of a scanned document. When users click on this link they will be brought to a HTML page pretending to be a Office 365 login form that is stored on the Microsoft Azure Blob storage solution. Notice how the URL, indicates it is a blob. As this page is also being hosted on a Microsoft service, it gets the benefit of being a secured SSL site as well.
While more experienced users may not fall for this attack due to the strange URL, others may be more convinced because the page utilizes a certificate from Microsoft and thus must be safe. To better protect users from these types of evolving threats,Netskope recommends that companies properly educate their users to recognize non-standard web page addresses. "Enterprises should educate their users to recognize AWS, Azure, and GCP object store URLs, so they can discern phishing sites from official sites. "
Read More on BleepingComputer
Original blog post from Netskope
Cutting room floor
#Tech and #Tools
This content was created by Kindred Group Security. Please share if you enjoyed!
Kindred Group in brief
Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.
You can access the previous newsletters at
If you no longer wish to receive this newsletter, you can unsubscribe from this list.