Facebook Security Breach Exposes Accounts of Million Users
On 25th September 2018, the engineering team of Facebook discovered a security issue which has affected almost million user accounts. The team has informed that they are looking this matter seriously and they have taken necessary actions to protect people’ s privacy.
The VP of Product Management, Guy Rosen, said “It is known that the attackers utilized a vulnerability in Facebook’s code that has impacted “View As” feature which allows the user to view their own profile that how it looks like to anyone else. This allowed the hackers to steal Facebook access tokens which they later used to take over user’s accounts.” The Access tokens are similar to digital keys which keeps a user logged into Facebook so that the user does not need to enter the password next time when they use the app. Well, the Facebook security team has already taken necessary actions. The initial step they have taken is that they have fixed the vulnerability and informed the law enforcement.
An interpreter of the National Cyber Security Centre said, “We are investigating how the breach has occurred and affected the people and will advise the relevant mitigation measures.” The second step is that, For almost 50 million accounts, the team has reset the access tokens. We are on the verge to reset access tokens of another 40 million account that have been subject to a “View As” feature. By this, around 90 million users will have to log back into Facebook. After logging back, users will be notified with the News Feed on the top with all explanations of the same. The third action is, temporarily turned-off the “View As” feature to conduct a complete security review. Guy Rosen also added “We have just started the investigation and are yet to find out whether these accounts information are misused in any way. We are not aware that who is behind this attack. Anyway, we are working harder to understand the details and will update soon on this.”
| Timeline Facebook Security Flaw |
| July 2017 |
| Happy Birthday Feature introduces flaw as “View As” feature which allowed hackers to steal access tokens |
| 16th September 2018 |
| Traffic floods servers and opens investigation |
| 25th September 2018 |
| Investigation team finds 50 Million access tokens are stolen |
| 26th September 2018 |
| Facebook interacts with FBI |
| 28th September 2018 |
| Facebook publicly exposes the breach, resets 90 million accounts logins |
| 27th September 2018 |
| Patches the flaw by the evening |
On 28th September 2018, Pedro Canahuati, VP Engineering, Security and Privacy updated additional details on the security issues. In the past week, the Facebook security team has disclosed that an external actor attacked the systems and exploited a vulnerability which exposed Facebook access tokens for user’s account in HTML, on rendering a particular component of the “View As”. These issues were the outcome of the interaction of three different bugs which are mentioned below.
The first bug was with “View As” which is a privacy feature which enables a user to view how their profile looks like to someone else in a broader way. It should be a view-only interface. One of the versions which allow users to wish Happy birthday on their friend’s timeline. However, “View As” allowed an incorrect way of posting the video. The second was the new version of the video uploader which was launched in July 2017. This inappropriately created an access token which had the permission of the Facebook mobile app. The third was when this video uploader appeared as a part of View As, it generated an access token not for the actual viewer, but for the user who is looking up.
It was the combination of these three issues that became vulnerable. In discussing this point, Pedro Canahuati added “While using the ‘View As” feature to see your profile as a third-party user, the code does not remove the composer which allows others to wish you happy birthday. Rather the video uploader generates an illegal way of access tokens. After the access tokens are created, the video is not for you but for the person who looks up. These access tokens were then available in HTML code of the page. This made the attackers extract and exploit to log in as another user. This allowed gaining more access tokens when the same actions were performed.
Furthermore, he also added that they have fixed the security issues and have reset the access tokens for almost 50 million user accounts. It is clear that we have affected and now they are taking preliminary actions to reset access tokens for another 40 million users. Moreover, we have turned off the View As the feature for time being to perform an exhaustive security review.