How was the account hijacked? Via cookie theft. The author installed malware, maybe some dodgy windows binaries or malicious browser extensions. No amount or type of 2FA on sign-in will protect you against the session cookie being stolen. (Now, additional 2FA on sensitive actions might).
Why was the account was banned with such finality, with no chance of appeal? Probably for something outright illegal, like the hijacker uploading CSAM to the account. It's totally plausible that in an obvious enough case, the policy is e.g. to refer the case to law enforcement and keep the account disabled.
Why did the attacker want to get the account permanently disabled? Maybe an account disable doesn't stop ad campaigns on FB. So the attacker sets up an ad campaign, and then gets the account banned so that the owner can't reverse it.
I think that's quite likely. I have a (somewhat throwaway) FB account, not much of a profile and mainly used for a local cause. Co-admining a page I'd clicked on a clickbaity headline posted to the page and several days later my account was disabled.
The account recovery process was completely broken/circular but somehow the account revived itself after a week.
The fact that my 'friend suggestions' were untainted by a friends list seemed to confirm the hack as all my suggestions were from people in an entirely new continent.
There's no way clicking on a headline would lead to your account being hijacked... Unless there's a browser 0-day which are extremely valuable and no one would waste that on your FB account. Or if clicking the link downloaded malware and you ran the malware.
Did you ever use the password of the FB account anywhere else? You getting phished is also much more likely than a browser 0-day. Did you have a security key on the FB account?
You're right. But when there's an exploited vulnerability Facebook logs everyone out and then posts a blog post about it, as show by the 2018 hack you linked to.
That hasn't happened here.
I don't really consider 3 years ago to be very recent.
I think that 3rd link is arguably not a vulnerability. If you intentionally want people to be able to look up future friends by email address, then that's basically the desired behavior. Now arguably allowing people to look up future friends by email is a privacy problem. Some users probably want that feature though. Yes a lack of rate limiting is a problem, but rate limiting won't stop attackers from doing it, it just slows them down.
Leaking PII in the name of "features" is a security disaster.
Ask yourself why Facebook doesn't just make available a spreadsheet of all names associated with which emails on the platform. It's because it's private information.
Why doesn't Facebook's security team do anything? Either they're incompetent, or they're being muzzled by product.
Additionally, Facebook's privacy policy explicitly says that they don't share your private information that you have chosen to set private. That's an egregious lie.
There's been a bit of miscommunication here, and I think it's partially my fault. It looks like there was a vulnerability in the rate limiter, and Facebook has admitted that and says they're trying to fix it (I don't know whether they have fixed it):
>In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings."
I'm not sure whether you're just concerned with this apparent rate limit bypass vuln or with the entire concept of lookup by email.
>Ask yourself why Facebook doesn't just make available a spreadsheet of all names associated with which emails on the platform. It's because it's private information.
That would be Facebook telling you the email of every account. The behavior we're discussing is not doing that. Facebook allows you to find a person's profile given a person's email (assuming the person didn't disable that lookup it in privacy settings, and also considering rate limits which might be bypassable by a vulnerability). Facebook doesn't allow you do to the reverse unless the person sets email visibility to public.
>Why doesn't Facebook's security team do anything? Either they're incompetent, or they're being muzzled by product.
What do you think they should do?
Just because someone disagrees with you doesn't make them incompetent.
>Additionally, Facebook's privacy policy explicitly says that they don't share your private information that you have chosen to set private. That's an egregious lie.
What private information is being shared? Your profile URL? Your first and last name?
Facebook has an option to disable this lookup. Are you saying people are disabling the lookup and Facebook is disobeying that?
>Who can look you up using the email address you provided?
It was a secure account as far as the password goes, no 2FA. Like I said it was a bit of a throwaway account. Password 15 chars long, random chars.
No phishing.
I concluded that there's perhaps a cross-origin issue on Facebook's side that allowed cookie hijacking. The clickbaity link was almost tailor made for our group "[something ominous happened] in [your part of town]". Looks like it was auto-shared by someone whose account had been compromised as they were local. Reasonably confident it was a session hijack, my password remained the same while account locked.
The only other plausible thing wrt my account's case was that it was almost empty (i.e. no photo, no friends, not much to go by) and was somehow flagged but was given a misleading reason why it was.
>The only other plausible thing wrt my account's case was that it was almost empty (i.e. no photo, no friends, not much to go by) and was somehow flagged but was given a misleading reason why it was.
That sounds much more likely to me.
When facebook has a website vulnerability that is exploited, they log everyone out, post a blog post, and makes big news:
>"[something ominous happened] in [your part of town]"
Those ads are all over. They determine [your part of town] through geoip or FB tells the advertiser your city. It's like the "singles in [your city]" ads.
The thing is it wasn't an ad, it was a post a regular user posted into a group.
And that being the plausible answer doens't explain why me as a Northern European post-ban-resurrection ended up getting all my friends suggestions from Africans. It was never the case before that and all my activity simply involved campaigning against losing a local park and looking at local news.
Was the user a spam bot? Maybe the bot saw a city mentioned in the group and generated a spam comment using that city.
It's possible some people (or bots) from Africa viewed your page and no one else did in the recent past, and thus Facebook thought there was some connection between you and Africa.
clearly shows where their priorities lie. they will shut down your social (media) life without recourse, but heaven forbid that has a negative impact on the ad spends
The attacker should have replicated the browser fingerprint and IP on top of stealing the cookie - or just flat out used his computer remotely while he was sleeping.
I haven't used FB in a while but I remember login from other places were detected.
Technically that's possible but there would be too many false-positives. People would be signed out every time they took their laptop home from a coffeeshop or connected over a mobile hotspot.
Yes. Facebook has implemented features to try to keep their users signed in, even if the user indicates that they want to sign out. Therefore, Facebook wouldn't want to sign people out if they go to a coffee shop.
They could use your local MAC or maybe detect the local radius of your IP (eg if you suddenly appear from a different continent then send a confirmation email). Sure, people using Tor might get burnt but those use cases are likely less common than those who are getting their session cookies hacked.
A carrier-grade NAT could make you change IP address. TOR will do it. You would cause yourself more problems if you would start to bind a session to an IP address.
How was the account hijacked? Via cookie theft. The author installed malware, maybe some dodgy windows binaries or malicious browser extensions. No amount or type of 2FA on sign-in will protect you against the session cookie being stolen. (Now, additional 2FA on sensitive actions might).
Why was the account was banned with such finality, with no chance of appeal? Probably for something outright illegal, like the hijacker uploading CSAM to the account. It's totally plausible that in an obvious enough case, the policy is e.g. to refer the case to law enforcement and keep the account disabled.
Why did the attacker want to get the account permanently disabled? Maybe an account disable doesn't stop ad campaigns on FB. So the attacker sets up an ad campaign, and then gets the account banned so that the owner can't reverse it.