Facebook dropped a bombshell on Friday when it revealed an unknown hacker had breached the site, compromising the accounts of 50 million users. The company’s security team found three bugs were used in the attacks, saying they were used in combination to successfully break into Facebook accounts.
The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you’re holding them you can use them, there’s no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.
To get those keys, the hackers abused a feature in Facebook called “View As.” It allows any user to see what another can access on their profile. For instance, if you’ve blocked your dad from looking at your photos, you can check it’s working by effectively impersonating your father and viewing your profile.
The exploit was ironic. Facebook’s “view as” feature, a tool ostensibly designed for privacy purposes—that is, to let users check how their profile appears to other people—accidentally acted as a data sieve. While viewing one’s profile “as someone else,” an attacker could trigger a buggy video uploader through a mechanism intended to let people wish one another “happy birthday.” Accessed this way, the video uploader—containing flawed code since July 2017—served up a log-in token for that “someone else,” rather than for the true viewer. By impersonating targets through “view as,” an attacker could reap tokens galore.
To review which services are connected to your Facebook account, take the following steps. Visit “Settings,” then click “Apps and Websites.” You can manage permissions here. If you’re worried about having to remember myriad passwords, use password management software.
Facebook’s horror year took a dramatic turn for the worse after the social media giant admitted a security flaw had allowed hackers to access 50 million Facebook accounts and potentially view people’s private posts and messages.
As well as exposing people’s personal information on Facebook, the flaw would have allowed attackers to seize control of users’ Facebook accounts, Facebook said.
Vice president Guy Rosen said victims who used their Facebook logins to log into other third-party apps could also have had their information from those sites stolen, and it was taking the breach “very, very seriously”.
Facebook said it had logged out the 50 million people whose accounts were compromised, as well as another 40 million who were vulnerable to the attack.
Users don’t need to change their Facebook passwords, the company said.
Here’s Facebook’s official statement.