facebook exploit

a widespread security flaw that could have allowed hackers or other malicious third parties to access an affected user’s account by gleaning their security token. The flaw affected as many as 50 million people, and Facebook says it’s forcibly making around 90 million users log back into their accounts in full today to be safe. The company says that’s because in addition to the impacted accounts, around 40 million additional people simply used the exploitable feature since the exploit was active starting in July of 2017.

It also says it’s fixed the issue and alerted law enforcement, indicating that this is not an engineering mistake, but a purposeful exploit discovered and used by some third-party organization or hacker. The company says its engineering team was made aware of the issue on September 25th, but Guy Rosen, Facebook’s vice president of product management, says it’s not clear whether accounts were compromised, when the issue was exploited, or who might have been behind the attack.

AN ATTACKER EXPLOITED FACEBOOK’S VIEW AS FEATURE TO GLEAN USER SECURITY TOKENS

“On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook,” wrote CEO Mark Zuckerberg in a post to his personal Facebook page. “We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”

The flaw could have let someone exploit the “View As” feature, which lets you view your own profile as it appears to another user or to the public, as a way of evaluating your specific sharing settings. However, it appears that the feature inadvertently exposed Facebook security tokens when someone selected a profile as the desired View As target. That would let someone gain access to the person’s account. Facebook access tokens are the digital keys that allow mobile users to log in to their accounts without having to retype their passwords.

With full access to a user’s account, the attackers could have used any third-party app that was logged in via Facebook, the company said late Friday.

In addition to making 90 million users log back in today, Facebook said it’s also disabling the View As feature “while it conducts a thorough security review.” The company gives a bit of technical analysis about how the exploit worked, but there still aren’t a lot of concrete details here:

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

On a call with reporters following the announcement, Facebook said that the “video uploading feature” in July of last year related to a tool that allowed users to upload birthday videos in a way that would allow the View As feature to expose secure information, but only when interacting with two other bugs. The company also confirmed that no credit card info was exposed.