[German]Follow-up to this week's Facebook disruption, where users were forcibly logged out and could only log back in after a few hours. A reader has contacted me and reported that he was able to log in to Facebook under a friend's profile. And later I received several confirmations from other users.
Advertising
Facebook glitch on 5. March 2023
On March 5, 2024, there was a major worldwide disruption on Facebook in which many users were forcibly logged out and could no longer log in. The attempt to perform a password reset failed, as I discovered.
I reported this in the German blog post Störung bei Facebook (5.3.2024) – and other media also covered the issue (see also for instance). After a good 2 hours, the problem, which also affected Instagram and threads, was probably resolved.
There is no exact information on the reason for the outage. Forbes has published a statement from Meta here. It says: "Earlier today, we experienced difficulties accessing some of our services due to a technical issue. We have resolved the issue as quickly as possible for all those affected and apologize for any inconvenience caused."
Forbes writes that experts from Cisco's ThousandEyes Internet Intelligence team have analyzed the Meta outage and have more detailed information about what actually happened. According to them (who monitor the accessibility and performance of thousands of services and networks worldwide), the Meta outage was likely caused by a problem with a back-end service such as authentication.
Advertising
"ThousandEyes confirmed that Meta's web servers were still accessible, network paths were clear, and the web servers were responding to users," the researchers wrote in a blog. However, users who tried to log in received error messages, which "points to a backend service, such as authentication, as the cause of the problem," the researchers said.
However, on March 6, some users report that they are still unable to access their accounts. Forbes says that most of the problems appear to be due to an issue with two-factor authentication (2FA), with SMS codes not working on the site.
A reader reports unauthorized account access
German blog reader Jan-Niclas contacted me in a private message on Facebook on Tuesday night (after the outage). I can assess the reader based on his technical profile (he is an IT professional). What he reported doesn't sound good.
I don't know if the information has reached you yet, but after Facebook was down, I had a strange behavior when logging into the app. I had already read that Facebook had logged everyone out, which was also the case in the app.
Now, when I logged in, my account and another account of a friend with whom I had never logged in on my device were displayed. I then clicked on the friend's account and lo and behold, the app logs in with the friend's account and I have full access.
The reader provided me with the screenshots above. In the screenshot on the right, his own account is marked with a checkmark, the friend's account is named St*** (I anonymized it). The reader continued to write:
'Switched straight back to my account then of course. That's a bit strange. The only connection I can think of is that we are both admins of a site and the friend owns the site.
In a follow-up post, the reader posted the following information:
In Facebook itself, the accounts look normal again.
When I go to the Messenger app, I can still see the friend's account, but I now have to enter a password, which is because the friend has changed the password.
I don't use a Facebook app myself and only use a browser, so I haven't noticed anything like this. But I'll post the information on the blog, along with the question of whether anyone else in the readership has noticed anything similar?
I got more reports
After I mentioned that on Facebook and linked to my blog post, I got more feedback from blog reader. There is the a German comment from Max in my blog, which I have extracted and translated here in part.
A customer of mine reported exactly the same behavior to me. The customer has an admin account for administration on a club website. The actual admin then had the aforementioned problems or phenomenon in the evening, that after a repeated attempt to log in to the club site, the customer's account was also available for selection and he was able to log in there without any problems.
I couldn't believe it at first until I saw it live. We then first changed my customer's FB account password. Unfortunately, it was not possible to change or set up the MFA, nor was SMS possible.
This behavior is pretty blatant. I'm curious to see when the security functions for setting up the account will work again.
Then there was further feedback on Facebook to my post with the article link here. The first message read:
My attention was drawn to an application elsewhere yesterday. Thanks to MFA it wasn't sussessful.
And another user wrote me the following observation: I suddenly had a different e-mail address. There seems to have been some confusion. And the existing authentication tokens seem to have been mixed up so that it was possible to log in under other user accounts.
I will take up the issue and ask the Irish DPC, because in the business sector this is a GDPR violation for which Facebook is responsible.
Advertising
I was wondering how my facebook was hacked after the outage, I figured it had something to do with it, some kind of back door left open. After reading this it makes me wonder if the facebook outage has to do with the leaky data of 2FA codes that was left exposed on the internet for Facebook, Tiktoc and Google users. https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/?&web_view=true
NTLM deprecation. See https://book.hacktricks.xyz/windows-hardening/ntlm