On Friday 15th Feb, Facebook announced in a blogpost that it was the victim of a sophisticated hack attack last month which affected the computers of some employees. However, the company assured users that the attack was quickly discovered and that no user data was compromised or stolen from its servers.
The blogpost said that the attack took place when some employees visited the website of a mobile developer which had been infected.
The post reads,
This website in turn allowed and hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.
Facebook has called in the FBI to investigate the attack on its servers.
So how did the attackers gain access to the laptops of Facebook employees?
According to an interview in Ars Technica, Facebook Chief Security Officer Joe Sullivan said, that “The attack was injected into the site’s HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected, regardless of how patched their machine was.”
Facebook’s blogpost also pointed out that the company had flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop.
The attackers used a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. The malware was also able to install itself on both Apple and Windows machines, states the report in Ars Technica. Facebook also reported the bug to Oracle, and they provided a patch for the same on 1 February, 2013.
Facebook also pointed out that they were not the only ones who were attacked. As the Ars report points out, Facebook discovered traffic coming from several other companies and it also notified those companies of the attack and the report also points out that the attack took place in the same period as the attack on Twitter.
Earlier in this month, Twitter too had claimed that over 250,000 accounts were affected in the attack, although it did not specify any details or methodology of how the attack was orchestrated.
The attack on Facebook raises a lot of privacy fears for users, especially as the site has over a billion users, each with their personal photos, data, etc. As this post on TechCrunch points out, Facebook has a lot more to lose from getting hacked.
One also can’t forget that the hacker exploited Oracle’s Java to launch the attack. Security experts have already warned that Java isn’t secure and that users should disable the software on their web-browsers.