Earlier today, Facebook released a blog post regarding a recent discovered vulnerability in their platform, which apparently got exploited by attackers. Here's an excerpt from the Facebook blog:
"On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security. Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
Facebook's Investigation is still ongoing, however we already know that the root cause for the vulnerability lies in a code/logic change that Facebook introduced to a video uploading feature in July 2017.
In order to exploit this issue, attackers needed to find the bug, abuse it to steal an access token, then pivot from their target account to other accounts in order to steal more of these tokens.
I've been preaching and teaching application security for over two decades now, and I have to tell you, it's not uncommon for me to walk into a room full of smart people, demonstrate (watch the demo!) how an attacker can take over an application in a matter of minutes, only to get snarky remarks such as:
"That vulnerability will never exist in a real application"
"The odds that someone will find this issue, and manage to exploit it are slim"
"But we use [fill in the latest technology], it's not really relevant to us..."
And so on...
Trust me when I say - Facebook has one of the best application security programs and processes in place. They use the latest and greatest technologies, and if someone knows how to develop robust applications, it's them. Yet, from time to time, Facebook engineers make mistakes. And if they make mistakes - this can definitely happen in your organization.
Back To Serverless - What Should YOU Do?
- Never assume that your organization is immune to vulnerabilities. If it happened to Facebook, it can definitely happen to you.
- Earlier this year, we published the Serverless Security Top 10 Guide, which I hope you already downloaded and shared with your serverless engineering team. Education is a key when it comes to achieving good security posture.
- If you are a CISO, make sure you read our blog post: "5 Simple Questions On Serverless Security, That Every CISO Should Be Ready To Answer"
- Serverless developers - Listen to what Yan Cui (DAZN) has to say about FunctionShield, ("All serverless developers should use FunctionShield as part of every new function they develop"). This free library for AWS Lambda functions, which takes zero effort to use, could be the thing that would save your life.
And most importantly, remember that YOU are responsible for the security of your serverless applications. If you are developing and deploying serverless applications, contact PureSec and start your free trial with the leading Serverless Security Platform. It only takes a few minutes to on-board the platform, secure your serverless applications, and gain real time visibility to your cloud-native applications.