Facebook reported that a recent cyber attack has exposed personal information of 50 million accounts.
The social network team revealed that hackers have exploited a vulnerability in the “View As” feature which let them steal Facebook access tokens.
Thanks to the “View As” feature, users can see how other people see their profile. This feature is implemented under the privacy section to help users to check that only intended data is visible for their public profile.
On September 16, the Facebook team spotted a traffic spike, however, the cyber attack itself was registered on September 25, when the team found the way the platform was breached. Officially, Facebook disclosed the incident on September 27.
In response to the attack, the Facebook team disabled the “View As” feature, reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts. Additionally, hackers managed to access some data of the Facebook founder Mark Zuckerberg and the COO Sheryl Sandberg.
The Facebook team is notifying all the users whose tokens have been compromised by the attackers.
According to the social network, the vulnerability is the result of the chaining of three flaws affecting the “View As” feature and the Facebook’s video uploader. The version of the video uploader interface affected by the vulnerability was introduced in July 2017.
1. Experts noticed that the “View As” allows displaying the profile as a read-only interface. but the platform fails to validate the content submitted through text box that allows people to wish happy birthday to their friends(this is the first bug). The experts discovered that it is possible to post a video through this field.
2. The second issue is related to the fact that the video uploader generated an access token that had the permissions of the Facebook mobile app when posting a video in the text box.
3. The third bug is that the token generated was not for the user who had been using “View As” but for the one whose profile was being viewed, this means that attackers could obtain the token from the page’s HTML code and use it to take over a targeted user’s account.
Another interesting thing about the recent cyber attack is the fact that hackers would first hack into a friends’ account and attack other accounts connected to it after that.
Facebook also reported that the criminals queried the APIs to access profile information, but no private information (private messages or credit card data) seems to have been accessed.
Another underestimated aspect is the fact that the exposed tokens can be used to access third-party apps which let the authentication-use Facebook profile. The token reset also mitigated this risk.
In addition, the experts warn that users who have linked their Facebook and Instagram accounts should unlink and re-link them due to the reset of the tokens.