Facebook 533M leak - what do you do?

Need an intro?

Almost everyone on this planet, including their dog, cat, pet parrot and all other being is listed on Facebook (but this also means other social media, not at the scale how penetrative Facebook is).

Started off as a college fling tracking site, Facebook quickly outgrew its pubescent phase and matured as a global social media giant. This, as willing John Q. Public happily providing their personal data (and scary at times). Facebook quickly became an advertisement darling and a platform for marketing, social outreach and often information warfare battlegrounds (as seen recently during the last US presidential election campaigns.

Facebook breaches in 2019

In 2019, there were 2 breaches that affected Facebook. One in March/April and the other in September. The most recent one affecting 533M records (supposedly), was slated to be due to the September incident. However, a more detailed view reveals that the vulnerability may be lingering since 2012!

The March/April breach (which Facebook claimed has addressed) seem to have been due to its own API abuse. The Graph/Marketing API was seen abused, also attributed to the Cambridge Analytica debacle as well. Facebook stepped in to disable its "supposedly" harmful API to prevent further abuse, but not without receiving backlash to the extent of what Cambridge Analytica had caused damage.

Vulnerability reported at 2012

Lucian Constantie, a senior writer for IDG News Service wrote on ComputerWorld (8 October 2012) that an independent researcher Suriya Prakash found a vulnerability via Facebook's Mobile site. Facebook allows users to associate their contact list with existing Facebook users account. Facebook, earlier, had requested users to submit their mobile number in order to enable SMS based 2FA to protect their accounts. Now that Facebook has contact information, it also provided users an option to search for other users by specifying their number. To make it easier, a setting was introduced. In facebook, a user can head on to "Privacy Setting" > "How You Connect" > "Who can look you up using email address or phone number you provided" with the default setting of "Everyone" (!)

This means that even if you set your phone number visibility to "Me only" on your profile page, anyone who knows your number will be able to look you up unless if that setting was changed accordingly. Most people, unaware of this would leave the setting default, falling prey to this type of attack.

Suriya Prakash claimed that he shared the information with Facebook Security team in August and after an initial response on 31 August, his emails seemed to have ended up in /dev/null. A facebook representative responded and said that the rate of a user being found has been restricted.

Is it a bug?

This became the actual issue which caused the most recent data breach for Facebook. Facebook however claimed that there were no hacking, and that this was just another scraping method. Scraping, is means of obtaining information crawling through the site. However, from my assessment, I find it more closer to an IDOR (Insecure Direct Objet Reference).

In a typical IDOR attack, the attacker simply enumerates the object, by incrementing the ID number. e.g. https://website/id=1

The ID value is incremented, revealing all other objects until the enumeration is complete. In this case, the ID happens to be the mobile number. The attacker created a phone book with ALL possible phone numbers, uploading to Facebook and referencing it against Facebook's own database. Based on the numbers enumerated, one of the victim of this attack is Mark Zuckerberg himself, later identified having Signal app running on his phone (surprise, surprise!).

What about the current breach?

The team at CACT analysed the breach by looking through the data that was leaked through the breach. A country based summary was provided for reference.

This is interesting as Malaysiakini under-reported the number, claiming to be only 11 million. There were 2 version of the file that was discovered, one version in the csv format carried 44M data whereas the other file dataset contained 34M with colon (:) delimited file.

First observation of the leak file indicates that the file is sorted based on phone number, which confirms the phone number being the key file, and the rest is a pull from that data. Name, gender, email address, date joined are just a few of the fields observed on the file. (Ironically the files are split based on country and the person naming the file didn't know the spelling for Malaysia, spelled it as "malesia").

Does this breach covers the whole population? CACT research team affirms that this cannot be confirmed, unless if the full breach data is made available. This is because the breach data seems to be subset and not ALL of the population. Again, this is not confirmed.

Is the data legitimate? A quick check based on a sample of 25 verified number confirms that the data obtained is accurate.

Troy Hunt's haveibeenpwned site also has the data for users to validate. There are other sites set up with similar intent, one called "haveibeenzuked" allowing the same search.

Should I check or not?

Here's the conundrum. You supply a valid mobile number to any of these sites to check. Now, the site has validated mobile number (even though the identity isn't revealed) to check breach data. Which means, you are willingly giving your data (which may be breached in the future) to a third party site, trusting they will not reveal or leak the data.

Doesn't it sound like Facebook all over again? The choice is yours.

My identity is leaked. What can I do next?

If you did take the plunge and check, for some, you find that your data is leaked. Whomever having the data may do anything with that information. What options do you have?

Realistically you have 3 option (this is written for Malaysians in context)

Option 1 - You change your mobile number. Get a new number, inform all of your friends and family. You need to update the bank so that they send the TAC to the right number. Don't forget, similar to Facebook and other social platform, they also need your new number. This number will be fresh and untainted until the next breach, of which you ponder upon these 3 options again.

Option 2 - You decide to practice better OPSEC by having a number dedicated to all the social media access and 2FA requirement. You will deny all calls coming to the number and have it for limited use. Any calls coming to that number is completely unnecessary and will be ignored. This requires you to invest in a new number, having monthly expense to maintain the number and perhaps require a device for the number. In the long run, due to the limited use of the number, your primary number and identity is kept secure (but there is still the risk of someone exposing your number as they may share their contacts to social media due to finding links, which also means that most people may not be able to link you to other social media as your social media number may not be known).

Option 3 - You accept that breaches are part of life. The number is out, and there will be more options for your number will be out in the open. You know that there are even human sharing of numbers and contact due to marketing and any other reasons which is beyond your control but practice more mindful approach towards receiving unknown calls and be wary that scams are prevalent and take additional precautions to prevent being a victim.

Next steps

In reality, social media has become part and parcel of our lives. Expecting social media to conform to human expectation doesn't seem to be going in the right direction, and these leaks are stark reminder of what can happen to data put on the web. As a social media user, the onus is up to each and every one of us to decide how to use the platform. Some has even called for deleting their Facebook profile as Facebook mentioned that they will not be informing users affected by the breach.

Reference:

1. Malaysiakini - https://www.malaysiakini.com/news/569543
2. haveibeenpwned - https://haveibeenpwned.com
3. Mashable - https://sea.mashable.com/tech/15195/mark-zuckerberg-is-using-signal-according-to-phone-number-leaked-in-facebook-hack

This article was originally published at https://www.drsuresh.net/2021/04/facebook-leak-533m/