50 million Facebook accounts hit by security breach; what we know so far
A security flaw revealed on Facebook this week left around 50 million of their users vulnerable to a cyber-attack, the social networking website has revealed through its newsroom.
Facebook’s VP of Product Management, Guy Rosen, said in a statement Friday that on Tuesday September 25th, their engineering team discovered a “security issue” that affected 50 million Facebook accounts and that attackers had already exploited it.
On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.
The statement went on to say that the security flaw was related to Facebook’s “View As” feature, a feature that allows Facebook users to see their own profile through the “eyes” of someone else. It’s a feature we always recommend using every so often to review what strangers (i.e. people you’re not Facebook friends with) can see on your Facebook account.
According to Facebook’s statement, the vulnerability made it possible for attackers to steal “access tokens” of Facebook users that would allow them to take control of that user’s account. Access tokens are created when you log into Facebook and allow you to stay logged in on a particular device instead of having to log in with your password every time you visit the site or use the app. They are unique to each user, but if attackers manage to steal them, they can gain control of that corresponding Facebook account.
The ‘View As’ feature – when enabled – should provide a “read-only” version of Facebook, meaning when the feature is enabled, a user shouldn’t be able to post content to Facebook, only view it. However a bug meant that users could still post “Happy Birthday” messages to others while the “View As” feature was enabled. It was this interface that – as the result of another bug – provided an access token to the attackers. A third and final bug meant that the access token belonged to the person the attacker was looking through using the ‘View As’ feature, not the attacker’s own access token.
So for example the attacker wanted to know what their account looked like through the eyes of Facebook friend “Bob”. They enable the ‘View As’ feature and select ‘View as Bob’, then they access the interface that allows them to post Happy Birthday greetings (which should have been disabled) and that provides them with Bob’s access token. That allows them to grab control of Bob’s account, and using Bob’s account, the attackers can then use his account to target any of his friends with the same vulnerability.
Facebook has also said that it is “clear” that attackers had already exploited this vulnerability, making it a zero-day exploit (an exploit that the attackers knew about before Facebook did.)
In fact, the vulnerability itself has been present since July 2017, when Facebook updated its video uploader interface which was inadvertently still accessible when the “View As” feature was enabled. It is not clear how long since then that attackers have been exploiting this vulnerability.
Sponsored Content. Continued below...
Facebook has said that it has fixed the vulnerability and reset the access tokens belonging to all 50 million affected Facebook accounts, meaning those users will have been logged out of their accounts and will need to log-in using their password on any device they use to access the site. Facebook has also said it has reset the access tokens on an additional 40 million accounts that had used the “View As” feature recently as a precautionary measure.
For the time being, the “View As” feature on Facebook has been disabled on all accounts as Facebook investigate.
It is not known at this time if attackers managed to access or misuse any information via this attack. Nor is it known who the attackers are or where they are based.
What can I do?
If you’ve recently had to log back into Facebook with your password, then it is possible you were affected with this exploit. It is not known whether any information or accounts were misused, but as a precautionary step, we recommend checking your timeline and settings for anything suspicious, as well as checking what Facebook apps you have installed (removing any you don’t recognise.)
Stolen access tokens do not give attackers access to your Facebook login password, so there should be no need to change passwords as a direct consequence of this particular attack.
If you think you may have been affected, you can reset your account’s access tokens yourself by heading to your “Security and Login” section and removing devices under the “Authorised Logins” section.
We will update this post when new information comes to light.