Microsoft Claims Azure Active Directory B2C Not Affected by Facebook Hack -- Redmondmag.com

Microsoft Claims Azure Active Directory B2C Not Affected by Facebook Hack

By Kurt Mackie
10/05/2018

Microsoft indicated on Thursday that its Azure Active Directory B2C service wasn't affected by the Facebook hack last month that potentially exposed the access tokens of about 50 million Facebook users.

The breach was the largest one yet for Facebook and it occurred due to three software flaws, according to a September 28 explanation by Guy Rosen, vice president of product management at Facebook. Those flaws made it possible for user access tokens to get stolen using the Facebook "View as" feature, which was supposed to just display how a person's profile looked to others. With stolen access tokens, it's possible to take over accounts. The tokens are used to keep users signed into the Facebook service.

The Facebook social media service can be used as an "identity provider" with Azure AD B2C, which is Microsoft's identity service for connecting businesses with consumers. It's been possible to use a Facebook ID (along with IDs from Amazon, Google and LinkedIn) with the service ever since Microsoft launched Azure AD B2C in 2016. More recently, Microsoft added GitHub and Twitter as accepted identity providers that can be used with the service.

While the Facebook hack exposed the access tokens of Facebook users, the breach didn't affect users of the Azure AD B2C service, Microsoft contended, even if Facebook served as the identity provider. The Azure AD B2C service doesn't use those Facebook tokens directly. Instead, it uses an authorization code that's sent from the user's browser, Microsoft explained, in its announcement.

Here's how the announcement expressed it:

Since B2C does not accept access tokens from the end user, the exploit that Facebook has described does not apply -- even if an attacker presented B2C with the access token of another Facebook user, B2C is not configured to accept it to authenticate the user.

Facebook acted about two days after detecting the breach to address the issue, according to Rosen, in a video in Facebook's announcement. The software flaws were fixed, the tokens were reset and Facebook temporarily turned off the View As feature, according to the company. All Facebook users (90 million accounts) will be compelled to sign back into their accounts as a precaution.

Rosen stated that "there's no need for anyone to change their [Facebook] passwords." However, the U.S. Federal Trade Commission, in a consumer advisory on the matter, recommending doing it anyway.

In an October 2 announcement, Rosen said that analysis by Facebook had showed that no "third-party apps" had been accessed using Facebook logins as a consequence of the breach.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.