Facebook today confirmed a major security breach affecting nearly 50 million people, whose accounts were compromised when a vulnerability let hackers steal security tokens linked to their profiles.
The flaw was in Facebook’s “View As” feature, which lets account holders see what their profile looks like to someone else – a friend, the public, etc.
Attackers could then exploit the bug to steal Facebook access tokens, which can be used to take over accounts. Tokens act as “digital keys” to keep people logged in so they don’t have to enter a password every time they use the application.
Facebook has fixed the vulnerability, alerted law enforcement to the breach, and now temporarily disabled the “View As” feature while it investigates the problem.
While the investigation is still ongoing, Facebook has confirmed the attack stemmed from a change it made to a video uploading feature in July of last year, which affected the “View As” feature. Attackers needed to find the bug, use it to steal an access token, then pivot from their target account to other accounts in order to steal more of these tokens.
Hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access tokens for more than 50 million accounts.
In a brief blog post published Friday, Facebook revealed that its security team discovered the attack three days ago (on 25 September) and they are still investigating the security incident.
According to the social media behemoth the vulnerability allowed hackers to steal secret access tokens that could then be used to directly access users’ private information without requiring their original account password or validating two-factor authentication code.
Secret access tokens “are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”
What’s an access token? Do I need to change my password?
When you enter your username and password on most sites and applications, including Facebook, your browser or device is set an access tokens. This keeps you logged in, without you having to enter your credentials every time you log in. But the token doesn’t store your password — so there’s no need to change your password.
Is this why Facebook logged me out of my account?
Yes, Facebook says it reset the access tokens of all users affected. That means some ninety million users will have been logged out of their account — either on their phone or computer — in the past day. This also includes users on Facebook Messenger.
When did this attack happen?
The vulnerability was introduced on the site in July of last year, however Facebook didn’t know about it until this month, on September 16th, 2018, when it spotted a spike in unusual activity. That means the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.
What to do?
If you’ve been forcibly logged out by Facebook, then the forced logout will automatically have invalidated any existing access tokens for your account.
There’s no need for anyone to change their passwords. Access tokens are generated randomly after Facebook has gone through the process of validating your password when you login. There is no way to work backwards from an access token to recover your password.
Whether you’re affected or not, as a precautionary measure you can choose to log out of all your Facebook sessions.