Hackers exploited a vulnerability in the “View As” feature of Facebook.
The social media giant Facebook has announced that it has suffered a massive cyberattack, resulting in 50 million users account impacted.
In a statement, the vice president of product management at Facebook, Guy Rosen said that hackers exploited a vulnerability in Facebook’s ‘view as’ feature which lets users see how their profiles look to others.
According to Rosen, the cyber attack was discovered on Tuesday after hackers exploited the vulnerability to steal access tokens of the targeted accounts, allowing the hackers to take them over.
See: Hacking Facebook Account by Simply Knowing Account Phone Number
At the time of publishing this article; the vulnerability was fixed and the ‘View as’ feature was temporarily suspended. However, as a security measure, Facebook is now resetting tokens of 90 million user accounts which will require users to log in to their accounts again. Upon logging back, users receive a notification explaining what actually happened.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” explained Rosen in a blog post. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
See: Facebook bug exposed private posts of 14 million users to public
Facebook has apologized to its users and also contacted informed law enforcement regarding the breach. If you are on Facebook, change your email and account’s password as a security measure.
Engin Kirda, Chief Architect at Lastline believes that this is a nightmare scenario for Facebook. Following are the core security concerns that Kirda has addressed amid the breach:
Q: What is the likelihood that no user information was abused?
“It’s difficult to say if any information was abused. The bug in their code does sound like the exploit could have been scripted. So, I would carefully guess that if someone was actively exploiting this vulnerability in the wild, then there is a good chance that they wrote some code and automated the attack to steal sensitive information.”
Q: What is the likelihood that no user information was abused?
“It’s difficult to say if any information was abused. The bug in their code does sound like the exploit could have been scripted. So, I would carefully guess that if someone was actively exploiting this vulnerability in the wild, then there is a good chance that they wrote some code and automated the attack to steal sensitive information.”
Q: Are other major social networks vulnerable to similar attacks?
“I would carefully guess that other social networks are not vulnerable to similar attacks. The vulnerability was in proprietary Facebook code and functionality. Other sites might have similar bugs, but this sounds like a specific Facebook implementation issue.”
Q: What should Facebook do now?
“Facebook needs to be open about the problem and the steps that they took. Lately, Facebook has come under intense scrutiny for the way they deal with sensitive user data. This breach will not help, and it will be more difficult for users to trust Facebook with the management of their private data.”
This is not the first time when Facebook has been targeted by hackers. In February 2013, the company released a statement admitting that it was hacked in when its employers accidentally downloaded a malicious malware compromising the site security. However, no user data was stolen. In August last year, hackers targeted Facebook-owned Instagram by stealing data of top celebrities and trading it on the dark web.