Facebook gets a leg up against complex BREACH hack attacks

Facebook wants its 1.2 billion users to know that it’s working hard to protect them against a sophisticated hack attack known by security experts as BREACH.

Internet security experts said the effective malware has been around, in different forms, for over a decade. BREACH works by interacting with the technology that traditionally protects against a different attack known as CSRF, or “cross-site request forgery,” Facebook said in a blog post.

A Facebook spokesperson referred all requests for comments here.

The Menlo Park, Calif.-based social network explained the virus this way:

“CSRF is a well-known technique used against websites with user accounts. The attacker convinces the victim’s browser to send plausible web requests to the target website. The browser is easily fooled because cross-domain requests are commonplace and have many legitimate uses. If the trick works, the attacker can impersonate their victim and send spam or steal information from one of the websites where the victim has an account.”

Thus far, Facebook said it has managed to beat back serious BREACH and CSRF assaults. If the virus, for example, can figure out the users’ encrypted CSRF token, it stands a better chance of penetration.

Platforms like Facebook prevent CSRF attacks by issuing the user a secret “CSRF token.” No Web request may take an action on behalf of someone unless it also presents that person’s token. Facebook said that if attackers cannot easily discover the CSRF token, they generally aren’t able to impersonate the intended victim.

Versions of BREACH and CSRF were responsible for successful hacks in Mexico that affected banks. These also hit South Korea, targeting an eBay subsidiary, according to press reports.