10/04/2018

The Recent Facebook Hack Exposes an Internet-wide Failure

Fixing the issue is, in many ways, out of Facebook's hands

Facebook has received ample blame for the historic data breach that allowed hackers to not only take over the accounts of at least 50 million users but also access third-party websites those users logged into with Facebook. But what makes it so much worse is that fixing the issue is, in many ways, out of Facebook's hands.

Some of the web’s most popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack, according to a recent research paper out of the University of Illinois at Chicago. If they had taken more care with their implementation of Facebook's Single Sign-On feature—which lets you use your Facebook account to access other sites and services, rather than creating a unique password for every site—the impact could have largely been limited to Facebook. Instead, hackers could potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace. Even more staggering: You could be at risk even if you've never used Facebook to log into a third-party site.

Master Key
In a paper published in August, computer scientist Jason Polakis and his colleagues analyzed the many ways that hackers could abuse Facebook’s Single Sign-On tool. Facebook's not alone in offering the feature; Google has its own version of it, as do plenty of other so-called identity providers. But Facebook's, Polakis says, is the most widely implemented.

Please select this link to read the complete article from WIRED.