Facebook on Friday assured it had settled a security defenselessness that could have enabled hackers to sign into around 50 million client accounts. While Facebook reset the logins of these 50 million clients, it did likewise to another 40 million accounts as a careful step. The episode was sufficiently huge for Facebook CEO and organizer Mark Zuckerberg to post that the interpersonal organization was all the while examining the breach.
“We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more,” he said in a Facebook post.
Facebook Security Breach: 50 Million Accounts Affected
Rosen said the attacks misused a vulnerability in Facebook’s code that affected its ‘View As’ element that gives people a chance to perceive what their very own profile looks like to another person. This is the manner by which it was exploited.
“Once the attackers had an access token for one account, let’s say (Alice’s), they could then use View As to see what another account, let’s say, (Bob’s), could see about (Alice’s) account. Due to the vulnerability, this enabled them to get an access token for (Bob’s) account as well, and so on and so on.”
What caused the vulnerability in ‘View As’?
Rosen said the weakness was caused by a blend of three bugs influencing the entrance token, which resembles a
“digital key that keeps you logged in to Facebook so that every time you open the app, you don’t need to reenter your password”. It is not a password.
Rosen explained that the first first bug was that “when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all”. But in some cases it did. Secondly, this video uploader “incorrectly used the single sign- on functionally” to generate an access token with the permissions of the Facebook mobile app.
Finally, when the video uploader showed up as part of ‘View’ As it generated an access token, which it shouldn’t have, “not for you as the viewer, but for the user that you are looking up”. Rosen said the attackers discovered this combination that had become a vulnerability.
Asked why it took Facebook so long to discover this vulnerability, Rosen said why they do code reviews and run static analysis tools, “regrettably it didn’t catch this complex interaction of bugs that led to this vulnerability”. He, however, clarified that no passwords were taken in this security breach.
Saket Modi, CEO, and Co-Founder of security firm Lucideus clarified that the entrance tokens keep up a consistent session notwithstanding when your IP (or even MAC Address) changes.
“In this case, hackers were able to steal these tokens of nearly 50 Million Facebook users(targets), which basically means the hacker could fool Facebook servers to believe they are the authorised users of the target’s account that would give the attacker, complete access of the target’s account,” he said.
How does the breach affect Facebook users?
Modi said Facebook would have a log of the number of client profiles this element was used to get to, whose tokens they have reset (or lapsed the session of the past one) according to their announcement.