Failure to secure “View As” feature results in Facebook vulnerability affecting millionsThree bugs creating the vulnerabilityFacebook issues new access tokens for 90 million accountsIt is still unclear who is behind the attack
The statement informs that the investigation regarding the security breach is still in progress. However, it is now clear that the method hackers used to gain control of victim’s accounts is related to Facebook’s “View As” feature, allowing users to view their profiles as someone else. It turns out that the feature gave hackers a chance to steal so-called FB access tokens, later used to access victim’s accounts illegally. According to Pedro Canahuati, the Vice President of Security and Privacy at Facebook, claims that vulnerability “was the result” of three bugs listed below.
Three bugs creating the vulnerability
The “View As” feature was meant to be a view-only interface. It turns out that one type of composer (particularly the one that allows posting a happy birthday wish) – “View As” made it possible to post a video. The latest version of video uploader was was presented in July 2017. It appears that it faulty generated access token that held the permissions for the mobile version of the Facebook app. The faulty video uploader appeared in “View As” mode, generating an access token for the person you want to view your profile as, not for yourself as a viewer.
The access token was available in the HTML code of the page, easily accessible for the attackers. If you are unaware of what access tokens are, these help to keep people logged into the social media platform. Consequently, you do not need to re-login over and over again on a daily basis.
Facebook issues new access tokens for 90 million accounts
Facebook has already reset the access tokens for the said 50 million accounts. Additionally, these were reset for extra 40 million that wasn’t affected by the Facebook security breach. As a result, around 90 million people will be asked to re-login into their accounts the next time they will launch the Facebook app. Besides, a notification informing of what has happened will appear on top of the news feed. The “View As” feature which contained the vulnerability in its code will be temporarily turned off for now. The social media giant’s programmers are currently investigating the code and making sure it fits top quality and security standards.
It is still unclear who is behind the attack
Facebook is in the middle of the investigation to find out how the compromised accounts were affected. The aim is to discover whether the hackers sought to misuse them or to dig for private information. At the moment, it is unclear who are these hackers and what country they originate from. Facebook apologized for the failure to spot the vulnerability before fraudsters did. In addition, it promised to keep resetting access tokens for any vulnerable accounts when discovered. You can read the official statement about the Facebook Security Breach in FB News Room. If you want to learn more about securing your account and learn to identify scams and viruses on the social media platform, consider reading our insights on Facebook viruses. It is unknown whether this has anything to do with a website bug bounty hunter known as Chang Chi-yuan. On Sunday, the guy from Taiwan published a statement saying that he is going to live-stream hacking M. Zuckerberg’s account. However, later that day, he called off his plans, explaining that he didn’t expect his intentions to go viral. It is not clear yet whether he planned to use the vulnerability in “View As” mode or not.