| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by kbenson 2102 days ago

2FA is how you protect your credentials from being stolen and used. This wasn't a case of credentials being stolen, this is a case of someone being tricked into authorizing a separate account to take action. They hacker didn't change his credentials to lock him out, it literally revoked access from him Facebook login to the ad account.

I'm using "login" and "account" specifically here to highlight the difference. On systems where there are likely to be multiple people that need access, there's a distinction between the "service account" and "logins or user accounts" that can control it. Generally, when the service account is created by a login, that login is added implicitly as a controlling user account with full privileges, and other user accounts (logins) can be added with varying levels of control. This situation appears to have been along the lines of the following:

1. User "real_user" create facebook ads account id 123456, and real_user is the admin of the ads account id 123456.

2. At some point real_user adds "scam_user" to the facebook ads account id 123456 with full admin permissions.

3. scam_user uses the full admin permissions it has for facebook ads account 123456 to remove access for real_user.

Note that is is a fully legitimate and common action to take in systems like this. If you are a business and pay someone to manage your facebook ads, they are likely the admin on the account (and you may be too), and if they leave and you hire a new person to manage it, you would want to revoke the old employee's account access and add access to the new employee's account.

This is how you handle it on Google Suite, Zoom's business accounts, Active Directory in Windows domains, etc. The real problem here is that the scammer got enough permissions to revoke the original user, and the original user did not get an email notification. I'm not sure if facebook ads allows adding accounts with limited permissions so only certain actions can be taken and part of the scam was making the permissions asked for non-obvious, or if that's a permissions distinction facebook ads doesn't support.