Social media giant Facebook has discovered a massive security lapse. The lapse gave hackers potential access to information that could have let them take over around tens of millions of accounts. Apparently, as many as 50 million accounts were compromised in one way or the other by the time Facebook discovered the issue and initiated correctional measures.
It appears that Facebook avoided a major fiasco in the nick of time. The company first became aware of this issue a couple of weeks ago, when it noticed some suspicious activities, such as a spike in user activity. The vulnerability comprised of a total of 3 different bugs, and was centered around weak code associated with the ‘View As” feature.
Actually, that’s not exactly correct. The vulnerability surfaced due to some changes Facebook made to it’s video uploading feature in July 2017, which further impacted “View As”. The feature as you are probably well aware of, allows users to take a peek at their own profile and see how it would look to them, their friends, and the public.
According to Facebook,
Attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access Tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
As many as 50 million account tokens were stolen. Facebook has now reset those tokens, along with an additional 40 million tokens that belonged to accounts who used the “View As” feature in the last year as a precautionary measure. Folks whose tokens have been reset may have been logged out of their account and would need to login again.
Additionally, Facebook has disabled the “View As” feature, fixed the vulnerability, and informed law enforcement. However, the company said that it was still trying to discover if any changes were affected to accounts whose tokens were stolen.
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
Facebook shares dropped by 3.1%, after the announcement.
More on this as the story develops.
