Hackers breached security at Facebook to steal up to 50 million accounts penetrating through the social network’s ‘View As’ feature.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” Guy Rosen, VP of Product Management at Facebook said.
Facebook founder Mark Zuckerbug then quickly informed that the social media giant ‘patched the issue’ and is taking precautionary measures for those who might have been affected.
More than 90 million users have had to log out
It all started when Facebook discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
“We do not yet know whether these accounts were misused but we are continuing to look into this,” Zuckerburg said.
“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened,” Guy Rosen said.
Steps Facebook Took
- Patched the security vulnerability to prevent attackers from being able to steal additional access tokens.
- Invalidated the access tokens for the accounts of the 50 million people who were affected – causing them to be logged out.
- Took the View As feature down to fully investigate the issue.
- Facebook’s ‘View As’ feature is a privacy tool to let you see how your own profile would look to other people.
- Logged out everyone who used the View As feature since the vulnerability was introduced. This will require another 40 million people or more to log back into their accounts.
Facebook faces constant attacks from hackers who want to take over accounts or steal information around the world.
In the recent years, the social media network is facing scrutiny over how it handles the private information of its users.
Technical Details of Breach
Here are some additional technical details about the security issue, as provided by Pedro Canahuati, VP Engineering, Security and Privacy, Facebook.
- View As should have been a view-only interface. However, for one type of composer (the box that let you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.
- A new version of Facebook video uploader (the interface that would be presented as a result of the first bug), introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.
- When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.
It was the combination of these three bugs that became a vulnerability.