Although it was confirmed that 50 million Facebook users were affected by the recent hack, officials were worried that this number could be significantly higher due to third-party apps linked with the site. Fortunately, the social network has concluded that the attacker didn’t use the same tokens to “log in with Facebook,” stating that third-party data remains uncompromised.
Facebook Login is a handy tool designed to make the user’s life significantly easier. At the click of a button, the social media site allows users to skip over the monotonous details by linking Facebook to supported third-party sites. Unfortunately, these sites also became a potential target the moment Facebook’s “View As” vulnerability was exploited to expose at least 50 million accounts.
Instead of utilising passwords, the attack exploited “access tokens,” allowing them to unlock a profile using what is essentially a “digital key.” These same keys could have been used to easily “log in with Facebook” across 40,000 third-party sites, according to Usenix, however Facebook VP of Product Management Guy Rosen has stated that this doesn’t seem to be the case.
“We’ve had questions about what exactly this attack means for the apps using Facebook Login. We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login,” explains the post.
“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens.” For sites that don’t follow these requirements, Facebook is currently working on a tool to allow developers to identify apps that have been affected, forcing a log out and reset on their end.
“We’re sorry that this attack happened — and we’ll continue to update people as we find out more,” concludes Rosen.
KitGuru Says: GDPR’s 72-hour disclosure deadline has split people down the middle. On one hand, such vague information in the middle of an investigation causes widespread panic, while on the other, it is likely to hurry investigations in an incredibly transparent manner. Personally, I’m all for being in the know.