What we know from Facebook’s Security Update
On September 16th Facebook discovered unusual activity on its platform and an investigation was launched. On Tuesday, September 25th a vulnerability and security issue was identified that affected almost 50 million account. On Wednesday law enforcement was notified, and on Thursday the vulnerability was fixed and other security precautions (such as resetting 90 million access tokens) were implemented.
Impact? So far there is very little information what the impact of the attack was, who was behind the attack and whether the affected accounts were misused or any information accessed. Facebook has promised further details as the investigation goes forward.
Personally I think Facebook did a good job in quickly identifying and fixing the vulnerability. Also the transparent way this has been handled so far shows that Facebook is taking this issue seriously. Obviously a bug like this should not have been there in the first place but the reality is modern software is far too complex to avoid all bugs. In the end a company needs to focus its efforts not only on finding bugs before they go into production but also, as this case once again shows, focus in quickly detecting, identifying and dealing with issues as they happen and doing so in a fully transparent way.
Impact on the concept of identity federation
Does this break the case for identity federation? Of course not. The risks and complexity of directly handling identity data are known, and using a proven third party can provide both risk and cost reduction. Is this a blow against OAuth – no! To take a parallel example we haven’t thrown away web servers because of a few bugs in a website, OAuth provides a well tested and widely deployed secure and controlled mechanism for identity and access management.
In the wider sense this very much supports the use of external domain experts when designing and implementing identity standards. Facebook is a huge organisation with phenomenal technical talent and yet they were still victim to an exploit around its implementation of access tokens. Using existing and emerging standards it is possible to block this specific issue at source and ensure that any external sites that use Facebook as an Identity Provider (IdP) are also protected.
This vulnerability will lead to many conversations about Facebook’s role as an identity provider (albeit a non-verified, social identity), and more widespread conversations about federating identity in general. For the federated identity system to continue to work even social identity providers like Facebook need to securely implement identity standards if they are to protect the digital identities used to log into external services and applications. When we start thinking about the risks created with a poor implementation verified identities, the stakes become dramatically higher.
If there’s something to learn here, no matter how large a developer organisation some companies have, it’s well worth considering working with a proven identity federation solution, delivered by domain experts, rather than risk getting it wrong by building inhouse.
To learn more about OAuth and other authorisation implementations check out our free authorisation white paper resources.
About The Author: Petteri Stenius
Principal Scientist at Ubisecure
More posts by Petteri Stenius