Friday September 28, 2018

Facebook "View As" Hack Affects over 90 Million Accounts

Facebook has acknowledged being hacked on Tuesday, September 25th and the security issue directly affected almost 50 million accounts and another 40 million indirectly. The "View As" feature that Facebook implemented in July 2017 is the source of the security issue. The "View As" feature allows users to see what their own profile looks like to someone else. Hackers used this to steal Facebook access tokens which they used to take over accounts belonging to other members of the service. Think of "access tokens" as "digital keys" that allow a person to remain logged into the service without having to re-enter their password when they use the app.

News Image

Law enforcement has been contacted and access to "View As" functionality has been disabled until a more secure implementation can be created. Those affected have been notified at the top of their Facebook News Feed and Facebook's security team is working diligently to find out who and from where the attack originated. If they find more affected accounts then they will reset the security tokens for those also. Thanks @DejaWiz !

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens. There's no need for anyone to change their passwords. But people who are having trouble logging back into Facebook -- for example because they’ve forgotten their password --should visit our Help Center.