2018 has been a rough year for Facebook. The social media giant has had more than its share of scandals this year and the one they revealed today may just be the proverbial cherry on top. Facebook discovered a security flaw that allowed hackers to take over up to 50 million user accounts, the worst crisis the company has had so far. Facebook's statement reads:
Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
The company has been unable to determine yet whether the attackers misused any of the affected accounts or stole private information. The vulnerability had existed since July 2017, but Facebook did not discover it until this month when it spotted an unusual increase in the use of its “view as” feature. Facebook stated that it fixed the flaw on Thursday and had also notified the U.S. Federal Bureau of Investigation, Department of Homeland Security and Irish data protection authority about the breach.
"View as" temporarily disabled as a precautionary measure
“View as” allows users to see what their profile looks like to someone else. The flaw issued users of the tool similar to browser cookie, that could be used to post from and browse Facebook as if they were someone else. As a part of the fix, the "View as" feature has been temporarily disabled. Additionally, the digital keys of the 50 million affected accounts and another 40 million that have been reset as a precautionary measure.
As a result, about 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said. They also recommend that users visit the 'Security and Login' section in settings and log out of all the sessions listed on the page. It is reasonable to assume that a lot of people won't bother logging back in after today's events.
News Source: Facebook
