Last month, Facebook discovered that north of 50 million accounts on its social media platform was affected by a security flaw that allowed hackers to gain control over a user’s account.
This vulnerability allowed the attackers to steal Facebook access tokens (digital keys that keep people logged into Facebook) that could be used to gain access to an account.
Facebook’s early stage investigation has identified that the hackers exploited a vulnerability in Facebook’s code that affected the ‘View as’ feature, which let people see how their profile looked like to someone else.
Upon further investigation, the social media giant has found out that the attackers had not accessed any of the apps that use Facebook login.
However, the investigation is still underway so nothing can be said for sure, except the fact that apps using official Facebook SDK and those who ‘checked the validity of their user’s access token’ were protected from the attack.
Following the attack, Facebook had reset the access tokens on all of the 50 million accounts that they know were affected and also of another 40 million accounts “that were subject to a ‘View As’ look-up in the last year”.
For all of these 90 million vulnerable accounts, Facebook had reset the access token, forcing the users to log in again.
What developers need to do?
If a developer uses the official Facebook SDK or regularly checks the validity of their users’ access tokens, their apps are protected but even then, in order to exercise caution, the social media platform has build tools that will enable developers to identify the user accounts that may have been affected by the recent breach.
According to Facebook, developers need to stick to their login security best practices listed as follows:
- Use the Graph API to keep information updated regularly and always log users out of apps where error codes show that any Facebook session is invalid.
What users need to do?
If your Facebook account was vulnerable to the aforementioned security issue, then Facebook has reset your access token.
If you have been logged out of your Facebook account on PC or Facebook app, Messenger and other apps that use a Facebook login on your smartphone, then your account was found vulnerable to the attack.
While the security vulnerability that has been discovered is a serious one, this notification by Facebook doesn’t reflect that at all. In all probability, people won’t even care about learning more and will just close the notification.
Even if you don’t see the notification, your account might still be vulnerable