Facebook Hackers Use 'Watering Hole' Tactic

Facebook has confirmed it was attacked by someone using a particularly sophisticated hacking technique. It says it doesn't appear the hackers were able to access any user data, but the site says it is taking the issue very seriously.

The hackers didn't use the direct approach favored by many would-be attackers who either try to simply access a website's public servers, or send bogus emails to staff in the hope of tricking them into opening infected attachments.

Hackers Lay Trap for Developers

Instead, the hackers breached security at an external website used by developers of mobile applications and websites, including Facebook. Having breached this site, the hackers laid a trap for visitors that installed malicious software.

This tactic has been dubbed a "watering hole" attack, the idea being that it resembles the way some predators in the wild don't go after prey in their homes, but instead lie in wait at a watering hole where they know the prey will eventually have to visit.

In this case, the watering hole was the developer site. (Source: arstechnica.com)

Three Hacker Tactics Combine to Spell Trouble For Facebook

The attack itself used a dangerous combination of three better-known hacker tactics. First, it used a zero-day exploit, meaning it took advantage of a security flaw that wasn't yet known to the creators of the relevant software, in this case Java.

That in turn means there isn't a fix for the flaw: Facebook notes its engineers were running fully-patched software with up-to-date antivirus packages.

Second, the attack was a "drive-by download," meaning it was created in such a way that the computer automatically downloads and tries to install the malicious software the moment the user visits a website. It doesn't require the user to specifically click to agree to the download.

Finally, the security flaw in question was particularly dangerous as it allowed the malware to breach a sandbox, a security measure that effectively walls off different sections of a computer's resources so that if one section is compromised, it can't damage or take control of the entire computer.

Facebook says it immediately contacted law enforcement officials to report the attack. It also got in touch with Oracle, the developers of Java, and Oracle quickly released a fix.

Facebook also shared details of the attack with other users of the developer website. (Source: facebook.com)