Recently, Facebook announced that that its engineering team had discovered a security issue affecting almost 50 million accounts.
In an update published by Guy Rosen, Facebook’s VP of Product Management, the social networking platform stated that its own internal investigation had established that the attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens (the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app) which they could then use to take over people’s accounts.
To remedy the situation, Facebook put in place a number of measures. First, the firm stated that fixed the vulnerability and informed the breach to law enforcement agencies.
“Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” stated Rosen in the update.
The third step put in place by Facebook to address the breach, stated Rosen, was temporarily turning off the “View As” feature as the firm conducts a thorough security review.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” adds the update.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details… In addition, if we find more affected accounts, we will immediately reset their access tokens.”
Even though those who’ve had their accounts compromised would want to secure their profiles by changing their passwords, Facebook however advises there’s no need for such an action.
“There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook – for example because they’ve forgotten their password – should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all,” stated Rosen in the security update published on September 28 immediately the breach was reported.
Now, weighing on the on the issue of Facebook’s breach and whether it’s prudent for users to change their passwords, Chester Wisniewski, the Principal Research Scientist at Sophos, implores users against sharing sensitive information through such platforms.
“In something as big and complicated as Facebook, there are bound to be bugs. The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter. As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing,” noted Wisniewski. “This is why sensitive information should never be shared through these platforms. For now, logging out and back in is all that is necessary. The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with.”