Almost 50 million Facebook accounts were affected by a major cyber security breach, the social networking company said on Friday. Facebook said it has already fixed the vulnerability and informed law enforcement.
The company said it had discovered a loophole in the “View As” feature which allowed cyber criminals to gain control of the affected accounts. “View As” is a popular Facebook feature that allows users to see what their profiles look like to others. As a precaution, Facebook has temporarily disabled the feature.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” said Guy Rosen, VP of Product Management at Facebook, in a blog post.
Facebook says attackers exploited a “vulnerability” in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
Access tokens are similar to digital keys that allows users to stay logged into Facebook in the background and don’t need them to re-enter their password every time they launch the application on their phone or use it on a browser.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Facebook added.
Saket Modi, CEO and co-founder at Lucideus cyber security firm, explains that hackers were able to fool Facebook servers to believe they were the authorised users of the target’s account, thus giving the attackers full control and access of the affected account.
“Facebook would have a log of the number of user profiles this feature was used to access, whose tokens they have reset (or the previous session has expired) as per their statement. However, we don’t know for how long the vulnerability existed, who the hacker(s) were and the extent of damage that might have been caused in terms of stealing not only one’s profile data(which was in the case of Cambridge Analytica) but in this case potentially, the personal messages, every picture (even the ones hidden from friends/public), chats on messenger among others,” he added.
Sophos Principal Research Scientist at Chester Wisniewski said, “In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter. As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing. This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”
What should users do?
Facebook says users don’t need to reset their passwords as they will reset token accounts in the background if it finds more accounts affected by the breach.
“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center,” said Facebook.
One of the measures that Facebook users can take right now is to log out of all sessions (if using multiple devices) and log in again. Or they can simply reset your passwords right now and add two-step verification.
Users may also revisit the privacy settings of their recent posts and photos as Facebook has disabled the “View As” feature.