On September 25, 2018, Facebook discovered that north of 50 million accounts on its social media platform was affected by a severe security vulnerability, which allowed hackers to steal access tokens and gain control over a user’s account.
Facebook’s early stage investigation has identified that the hackers exploited a vulnerability in Facebook’s code that affected the ‘View as’ feature, which let people see how their profile looked like to someone else.
This vulnerability allowed the attackers to steal Facebook access tokens (digital keys that keep people logged into Facebook) that could be used to gain access to an account.
According to Facebook, the security issue has been patched, and they’ve informed the law enforcement about the breach.
90 million accounts affected
The company has reset the access tokens on all of the 50 million accounts that they know were affected and will be resetting access tokens for another 40 million accounts as a ‘precautionary step’.
This means that 90 million people will need to log back into their Facebook accounts or to any of the apps — like Instagram, Oculus and others — that use Facebook login.
How to know if your Facebook account has been affected too?
If your Facebook account was vulnerable to the aforementioned security issue, then Facebook has reset your access token.
If you have been logged out of your Facebook account on PC or Facebook app, Messenger and other apps that use a Facebook login on your smartphone, then your account was found vulnerable to the attack.
Once you login to your account, you’ll see the following notification at the top of your news feed explaining what has happened.
The notification reads: “Your privacy and security are important to us. We want to let you know about the recent action we’ve taken to secure your account” followed by a ‘Learn More’ button.
While the security vulnerability that has been discovered is a serious one, this notification by Facebook doesn’t reflect that at all. In all probability, people won’t even care about learning more and will just close the notification.
Even if you don’t see the notification, your account might still be vulnerable
Facebook also goes on to say that more accounts might be vulnerable that haven’t been discovered yet. If you wish to take a precautionary step, then visit Security and Login section in Settings of your Facebook account.
There you’ll be able to see if your account is being actively accessed from some other place and you’ll be presented with an option to log them out.
‘View as’ feature turned off
The ‘View as’ feature that made the accounts vulnerable has been temporarily turned off by Facebook, pending a security review.
Accounts were vulnerable since July 2017
While Facebook still hasn’t figured out if any of the accounts that were vulnerable were exploited or not and who was behind these attacks, they’ve zeroed in on how the vulnerability arose in the first place.
In July 2017, more than a year back from when the vulnerability was discovered, Facebook had updated their video uploading feature that impacted the ‘View as’ feature too.
The video uploader started incorrectly generating an access token that gave permission to the Facebook app. When the video uploader appeared as part of ‘View as’, instead of generating an access token as a viewer, it would generate the access token of the user that is being looked up.
The access token for the user was then available in the HTML of the page, which could’ve been extracted by an attacker and then exploited to log in as another user.
“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens. People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened,” Facebook stated.
The company also writes that if they find more affected accounts, then their access tokens will be replaced too. This simply means that the 50 million and 40 million accounts that have already witnessed a token replacement aren’t the end of the line and your account might still be vulnerable.