Read time: 3 minutes

Latest Facebook hack...50 million users compromised

By , ITWeb
01 Oct 2018

Latest Facebook hack...50 million users compromised

According to Facebook, attackers exploited a vulnerability in the website's code.

It specifically impacted 'View As', which is a feature that lets users see what their own profile looks like to others. There were three bugs identified with this feature.

The three bugs related specifically to a re-design of the video uploader tool used to upload videos to the application. The first bug occurs when using View As, the video uploader tool shouldn't have shown up at all - but on specific posts encouraging people to post happy birthday greetings, it did show up.

The second bug was that the video uploader incorrectly used Facebook's single sign-on functionality, and generated an access token for the mobile application.

The third bug was that when the video uploader showed up, the access token was generated for not you as the user, but for the user you were looking up. This was discovered by attackers, who were able to use this system to look up other users and get further tokens.

Hackers used this feature to steal Facebook's access tokens. Access tokens are keys that keep you logged into Facebook - so you don't have to re-enter your password every time you use the application or website.

Based on this, hackers would've been able to access Facebook accounts, potentially giving them access to a user's entire profile as well their private messages.

The attack exploited the complex interaction of multiple issues in the code which stemmed from a change Facebook made to the video uploading feature in July 2017, which impacted the 'View As' functionality

The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

Facebook says it's "only just started our investigation", so it can't confirm whether your account was "misused or any information accessed".

The company also admits that it's clueless about who the hackers are.

"Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," said Facebook's Guy Rosen.

"We also don't know who's behind these attacks or where they're based.

"We're working hard to better understand these details — and we will update this post when we have more information, or if the facts change.

"In addition, if we find more affected accounts, we will immediately reset their access tokens."

Facebook said that there was no evidence private message had been accessed, but that hackers were able to "use [accounts] as if they were the account holder".

The company also told reporters that no credit card information had been taken.

Details are still unclear but it doesn't appear as though users' passwords would've been included in any breached information.

Attackers may have been able to log on as a user and browse their profile (and potentially even their messages), but this wouldn't give them access to passwords as they would be using the tokens.

It is still a good idea to change passwords anyway, because hackers may have been able to gather details about individuals and infer passwords that way.

By Drew van Vuuren, Data Protection Officer at ESET Southern Africa.

Daily newsletter