Hackers Exploit Facebook Bug, As Twitter DMs (Maybe) Got Misrouted

In our latest security news digest, we check out the Facebook hack heard 'round the world, a Twitter bug that rattled users but may not amount to much, and a pair of serious Linux kernel vulnerabilities.

Facebook scrambles to investigate major breach affecting tens of millions of users

The cyber security world shook on Friday upon learning that attackers exploited a software flaw on Facebook that allowed them to obtain access tokens for 50 million accounts, with another 40 million accounts possibly also affected.

Equally or even more concerning: The purloined tokens could have been used to access accounts in other websites into which their users log in with their Facebook credentials, such as Spotify and AirBnB.

Facebook inadvertently introduced the bug in July of last year. After investigating unusual activity detected in mid-September of this year, Facebook discovered the attack last week.

The attack has made global headlines since its disclosure on Sept. 28, and has naturally drawn scrutiny from security experts, government regulators, Facebook users, and industry observers.

“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team,” Paul Bischoff, privacy advocate with Comparitech, told Dark Reading.

It’s not clear if nor how the accounts may have been misused, but the company warned that the investigation is in its very early stages.

Many are speculating whether the incident will land Facebook in hot water with regulators globally, especially in the EU, whose severe General Data Protection Regulation (GDPR) went into effect in May, with potential fines of up to 4% of a company’s annual revenue.

The vulnerability is triggered in a specific scenario involving the “View As” feature and a video uploader launched in July 2017:

• “View As,” which lets Facebook account holders see how their timeline looks like to other users, mistakenly included the video uploader in certain cases.
• The video uploader in turn generated a token for accessing the account of the user whose view of the timeline was being replicated.
• With this token, that user’s account could be accessed and taken over.

Guy Rosen, a Facebook VP of Product Management, said during a press conference that the attack was carried out in a large scale. More details were provided during a second press call.

Facebook reset the access tokens of the 50 million affected accounts, as well as the tokens of another 40 million accounts that were subject to a “View As” look-up in the last year. It also notified law enforcement agencies. The company said it will provide more details as its investigation progresses.

More information:

Facebook’s security flaws exposed more than Facebook — here’s what (little) you can do (NBC News)

MPs demand answer from Facebook boss over hack shock (The Telegraph)

Facebook warns that third-party apps could have been affected by recent breach (Digital Trends)

Facebook Security Bug Affects 90M Users (Krebs on Security)

Twitter misdirects DMs, private tweets – sorta, maybe

Facebook wasn’t the only social media giant that discovered a year-old bug that put user data at risk. A flaw in Twitter’s Account Activity API (AAAPI) may have caused direct messages or private tweets to be sent to the wrong recipients.

In all potential cases, the errant DMs or tweets would have been sent from a personal account to a business account, such as those of an airline or a restaurant, and would have been incorrectly delivered to a developer registered in Twitter’s developer program.

The bug was active for about 15 months – between May 2017 and Sept. 10 of this year – but Twitter believes that instances of the routing error were probably rare.

“Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source,” reads a company statement.

A detailed explanation of the combination of variables needed for the flaw to be triggered can be found in a Twitter statement aimed at developers.

Twitter estimates that less than 1% of Twitter’s 336 million users may have been affected, and it hasn’t yet found an instance in which a DM or private tweet went to the wrong recipient. “But we can’t conclusively confirm it didn’t happen,” the company’s tech support team said in a tweet.

In addition to patching the bug, Twitter has contacted potentially-impacted users and developers.

More information:

Twitter may have sent your private DMs to the wrong people – but probably not (Cnet)

Twitter Flaw Exposed Direct Messages To External Developers (ThreatPost)

Twitter Bug That ‘May Have’ Exposed Direct Messages Probably Didn’t Expose Anything (Gizmodo)

Serious Linux kernel bugs discovered

A pair of Linux kernel bugs were separately discovered – one by Google’s Project Zero team, the other by Qualys researchers.

Google’s team found a cache invalidation bug (CVE-2018-17182) in Linux’s memory management from version 3.16 through version 4.18.8, in which the vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows.

“An attacker can trigger a use-after-free – and possibly gain privileges – via certain thread creation, map, unmap, invalidation, and dereference operations,” explains NIST in the National Vulnerability Database entry.

The Project Zero blog has a detailed rundown of the bug.

Meanwhile, Qualys discovered an integer overflow flaw (CVE-2018-14634) in the Linux kernel’s create_elf_tables() function. “On a 64-bit system, a local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges,” reads the Qualys advisory.

ThreatPost has more details about the so-called “Mutagen Astronomy” flaw, which is believed to affect Linux kernel versions 2.6.x, 3.10.x and 4.14.x, according to the NIST vulnerability database entry.

More information

Linux: VMA use-after-free via buggy vmacache_flush_all() fastpath (Chromium blog)

Another Linux Kernel Bug Surfaces, Allowing Root Access (ThreatPost)

Google Hacker Discloses New Linux Kernel Vulnerability and PoC Exploit (The Hacker News)

Red Hat advisory about CVE-2018-17182 (Red Hat)

New Linux ‘Mutagen Astronomy’ security flaw impacts Red Hat and CentOS distros (ZDNet)

Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian (SecurityWeek)

In other security news …

• Between roughly mid-August and mid-September, hackers stole credit card data from electronics retailer Newegg’s website after inserting card-skimming code on the payments page, TechCrunch reported. The company confirmed the incident happened, and posted an FAQ about the issue.
• Fashion retailer SHEIN suffered a breach in which personal information from almost 6.5 million customers was stolen over a period of about two months – between June and August of this year, the company said. SHEIN also has an FAQ for concerned customers.
• Cisco’s Talos division published research shedding more light on the VPNFilter malware that has infected routers worldwide recently. “As a result of the capabilities we previously discovered in VPNFilter coupled with our new findings, we now confirm that VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted,” the researchers wrote.