Another Friday afternoon, another hacking victim confession.
Facebook has announced in a blog post that it’s been the target of an attack that gained access to its corporate network using a security vulnerability in Oracle’s Java software, although the social media firm says it believes no user data was accessed.
“Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack,” the blog post reads. “We have found no evidence that Facebook user data was compromised. As part of our ongoing investigation, we are working continuously and closely with our own internal engineering teams, with security teams at other companies, and with law enforcement authorities to learn everything we can about the attack, and how to prevent similar incidents in the future.”
The attack comes on the heels of similar admissions from a series of hacking targets including the New York Times, the Washington Post, the Wall Street Journal and Twitter. The company, like several of the others, says it’s working with law enforcement to learn more about the breach’s perpetrators.
Facebook’s announcement includes more information than most of those victims about the method used to breach its defenses. The company explains in its post that its staff’s computers were infected with malware when they visited a mobile developer’s website that had been compromised by hacker. That infected site used a previously unknown vulnerability in Oracle’s notoriously buggy Java software to gain access to the users’ machines via their browser, despite the company’s claim that the computers were using fully patched and running antivirus software.
That description of a Java-based attack echoes a warning from Twitter when it admitted that 250,000 users’ accounts had been potentially breached two weeks ago. Twitter suggested that users disable Java, which has been subject to an endless stream of security vulnerabilities, without explicitly saying that Java served as the initial entrypoint for the attack.
Given the wording of Facebook’s blog post, it’s easy enough to connect the dots between its attackers and those that targeted Twitter. “Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well,” the post reads. “As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means.”
The lesson, for those who haven’t heard it several dozen times already: Disable Java in your browser. (Security blogger Brian Krebs offers a useful guide to disabling Java in any browser here.) Oracle has made clear over the last year that it can’t or won’t suss out and patch the endless collection of hackable flaws in its most widespread consumer program. In multiple cases the company has sat on information about a vulnerability in the software for months, allowing attackers to take advantage of the bug to compromise users via invisible browser-based attacks.
Twitter’s call for users to disable the plug-in earlier this month followed similar sentiments from security researchers, the Department of Homeland Security, and Apple, which has disabled Java by default in its browsers. With another Java victim in the headlines, it’s probably time to take their advice.