As we head to the polls today to vote in the U.S. midterm elections, it’s hard to believe it’s been two years since the 2016 presidential election. During the rollercoaster election, social networks were plagued with fake accounts and fake news, all in an effort to sway voters’ ballots.
In 2017, Facebook finally acknowledged malicious actors used their platform “with the intent of harming the reputation of specific political targets.” Since then, Facebook has ramped up their efforts to prevent future election manipulation. One of those efforts is a “War Room,” which I recently discussed. But while Facebook is taking on fake content, they are leaving the back door open for another potential election security risk: false logins.
The Problem: You Never Really Log Out of Facebook on the Web
Every time you log into the social network, Facebook sets local storage values and/or cookies that can potentially be used for nefarious purposes by hackers. Local storage values are typically not cleared with cookies and are cumbersome to delete on desktop computers, and it's even harder to delete on mobile devices.
As a result, even after you “log out of Facebook,” there’s the potential for a hacker to “log you back in.” If a hacker accesses your email and knows the local storage value and/or cookies, they can also log into your Facebook account with a single click, bypassing a formal login, providing they have the right values set. With current and future elections, false logins could potentially create a major risk for manipulation.
Google’s Gmail Is Already Vulnerable to Hackers
It’s no secret Google’s Gmail has security vulnerabilities. Throw in Facebook and you’ve got the perfect election manipulation storm.
Let’s say a hacker accesses your Gmail account. Scrolling through, they see a notification email from Facebook that you were tagged in a post. They open the email, see a preview of the tagged post along with a link ‘View on Facebook.’ The hacker clicks the link and now they’re in, with full access to your Facebook account. And this isn't just applicable to a hacker knowing the local storage value. Most people never log out of their Facebook app to begin with.
For a hacker looking to do some election manipulation, they can spam your followers with fake content, making it appear it’s from you. For the average person, this may just be an annoyance. But if you’re an individual who plays a prominent role in the media or politics, this can be damaging. And for individuals who aren’t able to discern the real news from the fake, how do you mitigate it once it’s gone viral? Unfortunately, oftentimes you can’t. And that’s not the worst of it.
Did you know that Google has a “dots don’t matter” policy in how it processes email addresses? Imagine you get an email notification alert from Facebook for “JohnDoe@gmail.com” that was intended to go to “John.Doe@gmail.com.” When you realize it isn’t your account, you delete the email. But what happens if that email falls into the hands of a person with a different moral compass?
Now they also have the potential to access another individual’s Facebook account.
How to Protect Yourself
Short of completely swearing off Facebook and deleting your account, as of now there’s nothing to prevent false Facebook logins from Gmail or any and all email providers.
Google does offer security activity alerts. If you haven’t already, make sure you turn on email alerts so you’ll be notified of any suspicious sign-in activity. And of course, keep close tabs on any activity coming from Facebook. Get a broader understanding of ad fraud in Anura's free resource, the Ad Fraud Detection eBook.