Facebook has announced that on Tuesday its engineering team discovered a security issue pertaining to the View As feature and that it affected nearly 50 million user accounts. The firm said that attackers had exploited the vulnerability and which leaked Facebook access token – the equivalent of digital keys – that gave attackers access to users’ accounts.
The firm says it has taken three steps to help mitigate against further issues involving this bug. The first measure was to patch the vulnerability and inform law enforcement. Then it reset the access tokens of the 50 million accounts that it knows have been affected in order to protect their security. It has also reset the access tokens for another 40 million accounts that have been subject to a View As look-up in the last year. As a result, 90 million people in total will have to log back in to Facebook on trusted machines, or any of their apps that use Facebook Login. Those affected by this will get a notification explaining what has gone on. Lastly, it said it has temporarily disabled the View As feature while it conducts a thorough security review.
Explaining the workings of the exploit, Facebook’s VP of Product Management, Guy Rosen, said:
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”
Facebook topped off the post by saying that peoples' privacy and security are very important and apologises for the incident. It also clarified that people do not need to change their passwords but that if you have trouble logging back in that you should use the Facebook Help Centre. If you weren’t automatically logged out but are still concerned that you were affected you should visit the Security and Login section in settings and check the list of places that you are logged onto Facebook and log out of all of them.