The security breach which was discovered by Facebook (NASDAQ: FB) engineers on September 25 allowed the attackers to take direct control over user accounts; around 50 million of them to be exact.
The Latest Facebook Security Breach
In addition to the 50 million, Facebook also said there were another 40 million accounts which were potentially vulnerable. All said, the company logged out 90 million accounts to prevent further damage.
In a security update, Facebook admitted the attack was able to exploit the complex interaction of multiple issues in its code. This came about from a change the company made to its video uploading feature in July of 2017 affecting the “View As” feature.
Facebook said, “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
This attack couldn’t have come at a worse time for Facebook. The company is trying to ratchet up its security before the upcoming mid-term elections while at the same time trying to recover from the Cambridge Analytica fiasco in which data from about 87 million users was shared with a political consulting agency.
The View As Feature
The View As feature allows users to see how a profile looks to other people.
The attackers were able to exploit three flaws or bugs in the “View As” feature. In the same security update, Pedro Canahuati, Vice President of Engineering, Security and Privacy, listed those flaws as follows:
- View As incorrectly provided the opportunity to post a video.
- A new version of the video uploader (the interface that would be presented as a result of the first bug), introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.
- When the video uploader appeared as part of View As, it generated the access token NOT for the viewer, but for the user the viewer was looking up.
Facebook said it has turned off the View As feature temporarily while it conducts a security review.
Tricking Facebook to Issue Access Tokens
With this vulnerability, the attackers were able to trick Facebook into issuing them access tokens. This gave them access to user accounts as if they were the user.
They also had access to services the user might’ve registered for using Facebook such as Airbnb, Spotify, Tinder or other apps and games.
Facebook has reset the access tokens of the 50 million accounts that were affected as well as the additional 40 million accounts that might’ve been vulnerable.
If your account was one of the 90 million affected by this incident, you will be prompted to re-login on Facebook and any linked accounts.
Who is Responsible?
In a conference call (PDF) Guy Rosen, Vice President of Product Management for Facebook said the company has notified law enforcement and is working with the FBI.
As to who is responsible, Rosen goes on to say it is hard to discover who was behind the attack, adding “We may never know.”