It’s safe to say that this recent Facebook access token hack is a complete mess — much more than a simple inconvenience that might have forced you to log back in to your Facebook account on your devices.
And while the company is still sorting out the details and working on ways for developers to mitigate the effects of the attack, there are three things you can do to regain a little more control over your digital life.
First, let’s catch up on Facebook’s latest analysis of the hack:
Facebook Dodges A Big Bullet, Maybe
Facebook paints a rosy picture of the attack’s aftereffects in its most recent blog post. It has “found no evidence that the attackers accessed any apps using Facebook Login” and it’s “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out”.
That sure is nicer to hear than the doom and gloom that came from security researchers over the past few days, who (rightfully) envisioned a pretty far-reaching collapse of account security as a result of Facebook’s hack.
Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago, listed out a handful of potential issues in a comprehensive (and now highly referenced) Twitter thread:
Depending on how a site implements local account management, in some cases attackers can gain access to users' 3rd party accounts that haven't been associated with their FB account. In other cases the attacker is simply presented with a new account (under the user's name). (7/n)
— jason polakis (@jpolakis) September 29, 2018
More importantly, once attackers gain access to those 3rd parties, they can maintain access to user accounts in those websites using the cookies set by those sites. No matter what FB does, they can’t do anything to prevent attackers’ from accessing those accounts. (9/n)
— jason polakis (@jpolakis) September 29, 2018
However, there are still plenty of questions concerning what data, if anything, was accessed for the 50 million accounts the hack directly affected. And as The New York Times’ Farhad Manjoo argues, Facebook’s big security breach should be enough to disqualify it from your digital toolbelt — no more single sign-ons using the service:
This is a classic you-had-one-job situation. Like a trusty superintendent in a Brooklyn walk-up, Facebook offered to carry keys for every lock online. The arrangement was convenient — the super was always right there, at the push of a button. It was also more secure than creating and remembering dozens of passwords for different sites. Facebook had a financial and reputational incentive to hire the best security people to protect your keys; tons of small sites online don’t — and if they got hacked and if you reused your passwords elsewhere, you were hosed.
But the extensive hack vaporizes those arguments. If the entity with which you trusted your keys loses your keys, you take your keys elsewhere. And there are many more-secure and just-as-convenient ways to sign on to things online.
I think that’s great advice, and you can even take it one step further.
How To Disable Facebook’s Single Sign-On And More
First, hit up your Facebook settings and remove all the apps under “Active Apps and Websites”. Yes, every single one. You won’t miss them, I promise.
You can even go bigger. Under the “Apps, Websites and Games” section under the “Preferences” heading, click on “Edit”, and then click “Turn Off”. You’ll now no longer be tempted to sign into new services using your Facebook account, because that won’t work. Ta-da.
I recommend a third and slightly more extreme measure. Sign up for a Gmail account, if you don’t have one already. Then, when you go to sign up for a new service — say, Twitter — give the service a modified email address: [email protected], for example. Google will ignore the plus sign in your email address and anything that comes after it, but a service like Twitter should consider this a full, unique email address.
While you’re at it, switch your Facebook email address over to something unique as well, or just [email protected] In theory — and I’m spitballing here — this should make it more difficult for attackers to use access tokens from one service to mess with your accounts (or to-be-created accounts) on another if you’ve never set up the latter with single sign-on, since there won’t be a common link between the two.
Let’s talk about that elephant in the room. Facebook’s recent disclosure that attackers got their hands on access tokens for an unknown number of Facebook accounts is a big deal, since it’s the kind of hack that you, a happy Facebook user, could not prevent.
At least, I think that should help address what Jason Polakis previously tweeted, summarised by The Guardian here:
It gets even worse. Even if you’ve never used Facebook’s sign-in for an app or website, an attacker could still use the token to log in as you, provided you use the same email address for both services, says Polakis.
And if you don’t yet have an account on these services, attackers can use tokens to create one in your name, which can sit dormant waiting for you to eventually log in so they can steal your personal information.
If you use a tool such as LastPass or 1Password to keep track of your accounts, it won’t be hard to remember which modified email you used with which service. (Set up two-factor authentication on your password managers, too, and pray they never suffer any kind of crazy security breach like what Facebook’s dealing with, or else we’re all screwed.)