What the Experts Say about 2018’s Worst Security Breaches

Despite constant talk about the increasing importance of protecting our data, 2018 once again showed that even the best-laid plans fail when confronted with the smallest errors. The prior year saw some of the biggest attacks yet, putting the identities and private data of hundreds of thousands of users at risk. Most relevantly, these breaches show how far we are from protecting our data against being grasped by the wrong hands.

The top hacks of 2018 didn’t happen to no-name or small businesses, but to some of the biggest brands in technology, hospitality, and B2B services. Although they did not all result in immediate threats to users, the fact that they happened so effortlessly raises important questions. Here is what some of the top names in the industry had to say about this past year in cyber security and some of the biggest hacks of 2018.

Security Vulnerabilities Threaten Your Favorite Apps, 600 Million+ Users’ Data

One such vulnerability was recently discovered on Branch.io, a central third-party platform for applications looking to track mobile user data. With clients that include Tinder, Yelp, Shopify, Reddit, Pinterest, and Airbnb, the company’s tools have access to hundreds of millions of users. Thus, when a massive security flaw was found, researchers estimated it put nearly 685 million users’ data at risk.

The problem lies in the way Branch produces mobile sub-domains for its clients, where a cross-scripting vulnerability (XSS) allows enterprising hackers to inject their own malicious code. When unsuspecting users access the mobile version of a website or a mobile app, their data can be captured and stolen without being detected.

What’s worse, according to Ariel Hochstadt, the expert who discovered the flaw, “The fact that the vulnerability is DPM based and Branch.io still isn’t using CSP made these vulnerabilities easy to exploit in any browser we like. By simply changing the redirect site to a specially crafted payload that can manipulate the DOM, hackers could easily set up an XSS injection to extract data undetected.”

For most companies, the use of older or incompatible technology makes them vulnerable even with the strongest security. In this instance, the public was lucky that the flaw was exposed by an altruistic third party, and not a hacker. Even so, putting at risk more than half a billion users qualifies as a major blunder for such a popular application.

Facebook’s Security Is Pierced Multiple Times

2018 was a decidedly bad year for Facebook’s security teams, which had to contend with a barrage of hacks and vulnerabilities. Most recently, the company had to struggle with a vulnerability discovered on Google Chrome browser, which gave hackers access to users’ query data if they clicked on a specific website (an attack known as cross-site request forgery).

According to Ron Masas, a researcher with the company that found the flaw, the problem extends beyond users’ own data, as “Similar queries can be composed to extract data about the user’s friends. For example, by searching “my friends who like Imperva” I can check if the current user has any friends who like the Imperva Facebook page.”

Earlier in the year, it was revealed that the company also allowed a third-party application (Cambridge Analytica) to take the data of over 80 million users, which, though less technical than other hacks, was still significant. The weighty impact, according to Will Oremos—senior technology writer at Slate—is that it’s “Partly because the stakes in this particular data scandal are so high. Had the same data been used to sell people refrigerators or send them email spam, the story would not be playing out on such a big stage. In other words: Almost any significant role Facebook played in the success of the Donald Trump would be a momentous one, because his victory altered the course of history.”

In September, the company also announced that it had found a bug in its “View As” tool—which lets users see their profiles as someone else would—which would permit strangers to steal users’ access tokens and take their private data easily. The problem, according to renowned expert Brian Krebs, is what’s left unsaid. According to Krebs, “One other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user. Tens of thousands of websites let users log in using nothing more than their Facebook profile credentials.”

Marriott’s Starwood Purchase Comes with Security Baggage

In the most recent case of a massive data breach this year, hospitality behemoth Marriott reported that the data of 500 million customers who had stayed at its Starwood hotels had been stolen. The worst part is that this is not the first hack to come to light. Since the news broke, several other undetected or unreported attacks have been revealed including one that was caused by a security contractor unknowingly infecting the company’s email client with malware.

In this case, data breach hunter Chris Vickery was careful to note that “Usually when there is a breach like this, the data is encrypted, ransomed or (the victim is) extorted.” The attack likely was not a one-time hack, but a breach that has been exploited since at least 2014.

Per Vickery, “The breach is typically an automated process via a script. That’s what we saw with WannaCry and Merck. With those companies it was an automated exploit that finds the weakness, goes in and encrypts and then ransoms the data.” He’s also careful to note that Marriott has not used the word hack, noting that this vulnerability was not a one-time breach, but rather a concerted effort.

An Ever-Shifting Game of Cat and Mouse

Cyber-security has become a more comprehensive effort than ever before. When attacks are not simple hacks and direct breaches, security experts must focus their labors on the less-considered paths of attack. 2019 will see the challenges increase and evolve as companies must constantly contend with millions of possible attack vectors. However, as new attacks emerge, so do the mechanisms to defend against them.