News

Facebook Hack Did Not Affect Microsoft Azure AD B2C Service

• By Kurt Mackie
• 10/08/2018

In an Oct. 4, 2018, Service blog post Microsoft said that the Facebook hack last month that potentially exposed the access tokens of about 50 million Facebook users did not affect Microsoft's Azure Active Directory B2C service.

The breach occurred because of three software flaws and was the largest breach to date for Facebook, according to a Sept. 28 explanation by Guy Rosen, vice president of product management at Facebook. Those flaws made it possible for user access tokens, which are used to keep users signed in to the service, to get stolen using the Facebook "View as" feature. The feature was supposed to just display how a person's profile looked to others. With stolen access tokens, it's possible to take over accounts.

The Facebook social media service can be used as an "identity provider" with Azure AD B2C, which is Microsoft's identity service for connecting businesses with consumers. It's been possible to use a Facebook ID (along with IDs from Amazon, Google and LinkedIn) with the service ever since Microsoft launched Azure AD B2C in 2016. More recently, Microsoft added GitHub and Twitter as accepted identity providers that can be used with the service.

While the Facebook hack exposed the access tokens of Facebook users, the breach didn't affect users of the Azure AD B2C service, Microsoft contended, even if Facebook served as the identity provider. The Azure AD B2C service doesn't use those Facebook tokens directly. Instead, it uses an authorization code that's sent from the user's browser, Microsoft explained in its announcement.

Here's how the announcement expressed it:

Since B2C does not accept access tokens from the end user, the exploit that Facebook has described does not apply -- even if an attacker presented B2C with the access token of another Facebook user, B2C is not configured to accept it to authenticate the user.

Facebook acted about two days after detecting the breach to address the issue, according to Rosen, in a video in Facebook's announcement. The software flaws were fixed, the tokens were reset and Facebook temporarily turned off the View As feature, according to the company. All Facebook users (90 million accounts) will be compelled to sign back into their accounts as a precaution.

Rosen stated that "there's no need for anyone to change their [Facebook] passwords." However, the U.S. Federal Trade Commission, in a consumer advisory on the matter, recommending doing it anyway.

In an Oct. 2 announcement, Rosen said that analysis by Facebook had showed that no "third-party apps" had been accessed using Facebook logins as a consequence of the breach.