Microsoft Claims Azure Active Directory B2C Not Affected by Facebook Hack
Microsoft indicated on Thursday that its Azure Active Directory B2C service wasn't affected by the Facebook hack last month that potentially exposed the access tokens of about 50 million Facebook users.
The breach was the largest one yet for Facebook and it occurred due to three software flaws, according to a September 28 explanation by Guy Rosen, vice president of product management at Facebook. Those flaws made it possible for user access tokens to get stolen using the Facebook "View as" feature, which was supposed to just display how a person's profile looked to others. With stolen access tokens, it's possible to take over accounts. The tokens are used to keep users signed into the Facebook service.
The Facebook social media service can be used as an "identity provider" with Azure AD B2C, which is Microsoft's identity service for connecting businesses with consumers. It's been possible to use a Facebook ID (along with IDs from Amazon, Google and LinkedIn) with the service ever since Microsoft launched Azure AD B2C in 2016. More recently, Microsoft added GitHub and Twitter as accepted identity providers that can be used with the service.
While the Facebook hack exposed the access tokens of Facebook users, the breach didn't affect users of the Azure AD B2C service, Microsoft contended, even if Facebook served as the identity provider. The Azure AD B2C service doesn't use those Facebook tokens directly. Instead, it uses an authorization code that's sent from the user's browser, Microsoft explained, in its announcement.
Here's how the announcement expressed it:
Since B2C does not accept access tokens from the end user, the exploit that Facebook has described does not apply -- even if an attacker presented B2C with the access token of another Facebook user, B2C is not configured to accept it to authenticate the user.
Facebook acted about two days after detecting the breach to address the issue, according to Rosen, in a video in Facebook's announcement. The software flaws were fixed, the tokens were reset and Facebook temporarily turned off the View As feature, according to the company. All Facebook users (90 million accounts) will be compelled to sign back into their accounts as a precaution.
Rosen stated that "there's no need for anyone to change their [Facebook] passwords." However, the U.S. Federal Trade Commission, in a consumer advisory on the matter, recommending doing it anyway.
In an October 2 announcement, Rosen said that analysis by Facebook had showed that no "third-party apps" had been accessed using Facebook logins as a consequence of the breach.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.