Matti Suominen, Lead Consultant at Nixu
Teemu Kääriäinen, Lead Security Specialist IAM at Nixu
On September 25, the Facebook team found a vulnerability in the way how Facebook handled access rights in the context of viewing content as another user. The feature was intended to provide users with a way to see how content appears to others who might not have the same access rights. Instead, the information of more than 50 million users was put at risk. The feature could be abused to grant one user with access tokens that essentially turned them into someone else. This in effect gives them full access to anything that the other user could do. The issue itself was promptly fixed by Facebook after the discovery and reported widely in the media a few days later on September 27. Fallout is still on-going at the time of this writing and legal battles are sure to follow.
What caused the issue in the first place?
The central issue at the core of the vulnerability relates to authentication and authorization. It reminds us of why identities and access management are such fundamental aspects of security.
Facebook uses a protocol called OAuth 2.0 that they originally helped to develop in 2010. It later became an integral part of how most web applications and APIs handle user permissions and consent management. The key business drivers behind the introduction of OAuth 2.0 were ease of integrations and developer productivity. This meant that much of the responsibility of implementing the standard securely was placed on individual developers. Today, OAuth 2.0 is the de facto standard in the industry and used widely by most of the world’s leading platforms.
Not to blame OAuth 2.0 but the poor implementation
The Facebook breach was caused by shortcomings in the way how Facebook has been implementing the standard in their API platforms. This does not mean that the protocol itself is flawed - the problem was in Facebook’s own implementation. For most companies implementing their own APIs with authentication, this incident does not cause immediate concern unless Facebook authentication was used. However, it reminds us of the dangers of getting wrong such fundamental aspects of API management.
How to implement OAuth 2.0 successfully?
Nixu has been guiding many companies to secure their OAuth 2.0 implementations, ranging from financial institutions to retail companies. OAuth 2.0 specifications offer a wide range of resources to incorporate security to the development lifecycle of building and deploying OAuth 2.0 based solutions. A key document is the RFC 6819 - OAuth 2.0 Threat Model and Security Considerations (https://tools.ietf.org/html/rfc6819). It provides an extensive list of threats and security controls to effectively build safeguards.
Digging down to the details of the protocol implementation complements the traditional penetration testing. There the focus is typically on finding traditional security vulnerabilities in the endpoints exposed by the applications acting as OAuth 2.0 authorization servers, client applications or resource servers. Using the OAuth 2.0 threat model as the basis for performing security verification of the OAuth 2.0 setup makes it possible to provide a customer with assurance that the solution has been implemented so that it is reliable in its functionality and resilient against threats.
The previous approach can be used to verify that there are safeguards and countermeasures put in place to mitigate threats such as information disclosure or unauthorized alteration. This repeatable process and years of experience in deploying business-critical OAuth 2.0 setups make it possible to guarantee that companies can continue their business operations without disruptions when building their digital transformation strategy on API ecosystems and OAuth 2.0 based access management.
Whichever way the Facebook saga continues to develop, it has made one thing clear. API security will continue to be a critical security consideration moving forward. As more and more systems are built on top of APIs, our security is largely guaranteed by securely designed and implemented identity and access management.