Facebook has fixed another security issue this week, revealing as many as 50 million affected accounts. The social media platform is still investigating the issue, but has determined that the vulnerability stemmed from its “View As” feature, allowing users to see what their profile would look like to other people.
Instead of using passwords to take control of a user’s profile, attackers exploited “access tokens,” which “are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.” This was a large part of the change to the video uploading feature in July 2017, which in turn affected Facebook’s “View As” system.
Although 50 million accounts are believed to have been directly affected, another 40 million have been looked up resulting in 90 million accounts forced to log back in. Over 40,000 third party applications are believed to use Facebook as an option to log in, prompting worries that the number could still be significantly higher and that data from those third-party apps could also be compromised. Fortunately, however, passwords remain unaffected, meaning users don’t necessarily need to change them following the breach.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based,” reads the Facebook post. We’re working hard to better understand these details—and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”
In the meantime, Facebook states that it has stomped out the problem and informed law enforcement of the matter. In the meantime, while conducting its investigation, it has temporarily disabled the “View As” feature to avoid further problems.
CEO Mark Zuckerberg and COO Sheryl Sandberg were reportedly among the affected accounts. This marks a particularly bad week for Zuckerberg, as former as Taiwanese “white-hat” hacker Chang Chi-yuan has openly threatened to delete his account entirely by Sunday, live on stream.
KitGuru Says: Damage this time around seems to have been minimal, but given the sheer frequency and scale of security breaches, it prompts the question as to how long Facebook can last in the court of public opinion. How do you feel about the recent security breach?