Guy Rosen, VP of Product Management at Facebook, has just issued a statement on a severe security issue that affected almost 50 million Facebook accounts. On every Facebook profile, there was an option to display it with a "View As" option that allowed people to look at their own profiles as others would see them, whether as Facebook friends or not. Somehow, this feature allowed the attackers to steal Facebook access tokens, which then allowed them to take over the accounts. "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app," says Guy Rosen.
Although Rosen claims the investigation is still in its early stages since it was discovered on Tuesday afternoon, September 25, they have now "fixed the vulnerability and informed law enforcement." They have also "reset the access tokens of the almost 50 million accounts we know were affected to protect their security." They are now in the process of resetting access tokens for "another 40 million accounts that have been subject to a “View As” look-up in the last year" as a precautionary step. Therefore, about 90 million people will now have to log back into Facebook, or any of their apps that use Facebook Login. If other accounts are found to have been affected, Facebook will also immediately reset their access tokens. Users can also take the initiative and check the Security and Login section in Settings to log Facebook out of all other places. Given that thousands of sites and apps make use of login via Facebook this has quite a large footprint in impact.
Finally, the "View As" feature is now temporarily disabled as Facebook conducts a thorough security review." This attack exploited the complex interaction of multiple issues in our code," says Guy Rosen. "It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.' The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."
They are yet unable to determine whether the accounts affected have had their information misused. The attackers and their location are also unknown. Facebook employees are now working hard to better understand these details, and any further information will be included in the Facebook Newsroom post.
In conclusion, Rosen says that "privacy and security is incredibly important, and we’re sorry this happened." If anyone is experiencing any other issue with their account, Rosen advises that they visit their Help Center.
Have you been affected by Facebook's vulnerability? Did anything in particular happen to your account? Let us know in the comments below.