Facebook has fixed the vulnerability
On Friday FB claimed it had fixed a security vulnerability. It could have allowed hackers to log into about 50 million user accounts. While Facebook reset the logins of these 50 million users. It did the same to another 40 million accounts as a precautionary measure. The incident was big enough for Facebook CEO and founder Mark Zuckerberg to post that the social network was still investigating the breach. “We do not yet know whether these accounts were misused. But we are continuing to look into this and will update when we learn more.,” He said in a Facebook post.
When did the Facebook breach take place?
In a press call, also attended by Zuckerberg, Guy Rosen, Facebook’s VP of Product Management, said the vulnerability was introduced in July 2017 when Facebook created a new video upload functionality. Facebook launched a probe into the incident on September 16 after it discovered some unusual, like a spike in users. “On the afternoon of September 25, we uncovered this attack and we found this vulnerability.,” he said, adding that the FBI was soon notified and the vulnerability was fixed on September 27 evening after which it “began resetting the access tokens of people to protect the security of their accounts.” This is why people are having to log back into their Facebook accounts.
How were user accounts compromised?
Rosen said the attackers exploited a vulnerability in Facebook’s code that impacted its ‘View As’ feature that lets people see what their own profile looks like to someone else. This is how it was exploited: “Once the attackers had an access token for one account, let’s say (Alice’s), they could then use View As to see what another account, let’s say, (Bob’s), could see about (Alice’s) account. Due to the vulnerability, this enabled them to get an access token for (Bob’s) account as well, and so on and so on.”
What caused the vulnerability in ‘View As’?
Rosen said the vulnerability was caused by a combination of three bugs affecting the access token. That is like a “digital key that keeps you logged in to Facebook so that every time you open the app, you don’t need to re-enter your password”. It is not a password.
Rosen explained that the first bug was that “when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all”. But in some cases it did. Secondly, this video uploader “incorrectly used the single sign-on functionally” to generate an access token with the permissions of the Facebook mobile app.
Finally, when the video uploader showed up as part of ‘View’ As it generated an access token, which it shouldn’t have, “not for you as the viewer, but for the user that you are looking up”. Rosen said the attackers discovered this combination that had become a vulnerability.
What should Facebook users do now?
As a precaution, Saket Modi (CEO & Co-Founder of security firm Lucideus) recommended that all Facebook users should log out and re-login into all the gadgets they had the social network was active on.
Meanwhile, Sophos Principal Research Scientist Chester Wisniewski reminded that there are bound to be bugs in something as big and complicated as Facebook. While accepting that theft of access tokens was a problem, he suggested it was not nearly as big of a risk to user’s privacy. He has his own suggestion too: “As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why a sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”