In what’s becoming a worrying trend, social media giant Facebook has announced that attackers could have gained access to nearly 50 million Facebook accounts by exploiting a vulnerability in their “View As” feature. This is the latest in a long line of security breaches from big companies, with British Airways also being recently affected.
Facebook’s security team discovered the vulnerability last Tuesday, September 25th, and immediately took steps to fix this flaw. The issue is now fixed, and Facebook says that attackers should no longer be able to access affected accounts. This quick and easy fix is due to the nature of the breach. Guy Rosen, VP of product management at Facebook, said in a blog post that attackers were able to exploit “the complex interaction of multiple issues within our code”, which came from a change made to video uploading in July 2017.
This change allowed them to acquire something known as an access token. Access tokens are the digital equivalent of keys. They are the things that mean you don’t have to enter your password every time you open Facebook. With these access tokens in hand, hackers didn’t need to have a user’s password to gain access to their account.
Facebook’s simple fix was to reset all access tokens for affected accounts, effectively terminating illicit access. They also reset access tokens for 40 million other accounts that could possibly have been broken into, meaning nearly 90 million users have been affected by this latest breach. That being said, all users have to do is re-enter their password and everything should be back to normal, provided attackers made no changes to the account.
Facebook has turned off their “View As” feature until they can conduct a thorough security review. The company is unsure as to whether or not any accounts were misused in any way, but have said they will release updates on their blog as the investigation continues.
The nature of the breach means that there is no need for anyone to change their Facebook passwords, but any users who are having trouble logging back in are advised to contact the company’s help center.
More detail on how the attackers gained access is available at the end of Facebook’s blog post here.