Given the scale and severity of the @facebook breach, I’ll share some thoughts based on our recent @USENIXSecurity paper with @m0eb1t, amrutha, @kaytwo, @stevecheckoway, where we explored the ramifications of your Facebook account being compromised. https://t.co/6gS2ERrGvO (1/n)
There are many nuanced and not-so-obvious issues that arise due to how Single Sign-On functionality interacts with local account management on 3rd parties (referred to as relying parties in the context of SSO). Facebook's current actions do not prevent these attacks (2/n).
In our experiments we demonstrated how the Facebook iOS app was exposing the session tokens over unencrypted connections, while in this attack the root cause is a complex combination of three different bugs as explained here: https://t.co/81KSRoliLN (3/n)