Facebook on Friday said that hackers have exploited a flaw in its platform that left the access tokens of almost 50 million Facebook accounts ripe for the taking.
Access tokens are the digital keys that keep users logged into Facebook so they don’t need to re-enter their password every time they use the app. Hackers were able to access these, and from there could have taken over users’ accounts, Facebook said.
The vulnerability, which was discovered by Facebook engineers on Tuesday, existed in Facebook’s “View As” feature, which let users see what their profiles look like from other accounts (i.e., to check that their privacy settings are working and so on).
“This attack exploited the complex interaction of multiple issues in our code,” Guy Rosen, vice president of product management, said in a Friday post. “It stemmed from a change we made to our video uploading feature in July 2017, which impacted View As. The attackers not only needed to find this vulnerability and use it to get an access token, they then [could] pivot from that account to others to steal more tokens.”
The change in the feature that caused the glitch has been in play for at least two months, but it’s unclear when the compromise occurred.
Rosen said that Facebook is in the early stages of investigating the hack, and has not yet determined whether any accounts have been misused or information has been accessed. The company also doesn’t know who is behind the attacks, or where the attackers are based.
Facebook said it has reset the access tokens of the impacted 50 million accounts – and it is also resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year as a precautionary measure. The owners of these accounts will be notified and will need to log back in to Facebook.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” said Rosen. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
The breach comes as Facebook has been struggling to crack down on data misuse and privacy issues on its platform, particularly since the Cambridge Analytica scandal that broke out in March.
“There’s very little information to go on as of now, but it should be made clear that this is distinctly different from the Cambridge Analytica leak that made headlines a few months ago,” Paul Bischoff, privacy advocate with Comparitech.com. “This is a direct attack by hackers that exploited a vulnerability in Facebook’s View As feature, which was designed to allow users to see their profile pages as a friend or stranger would. In contrast, the Cambridge Analytica incident resulted from the abuse of data that Facebook willingly provided.”
Facebook found itself in hot water after the March incident, with the Securities and Exchange Commission, FBI, and the Department of Justice all reportedly investigating the social media giant.
Sen. Mark R. Warner (D-VA), co-chair of the Senate Cybersecurity Caucus on Friday, said this week’s Facebook breach is yet another “sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
“The news that at least 50 million Facebook users had their accounts compromised is deeply concerning,” he said in a statement. “A full investigation should be swiftly conducted and made public so that we can understand more about what happened.”
Facebook has tried to step up its game around security – in March the company announced it would expand its bug bounty program in an attempt to thwart improper data handling third-party app developers. The social network then announced earlier this month it is expanding that program to sniff out vulnerabilities related to access-token exposure; and it will offer at least $500 for vulnerabilities found in third-party apps and websites that involve improper exposure of Facebook user access tokens.
However, incidents like this most recent breach show are continuing to heighten concerns around the social media’s efforts when it comes to privacy and security.
“This breach emphasizes just how important software security is, and how subtle solid security engineering can be, ” Gary McGraw, vice president of security technology at Synopsys, said. “When a feature like ‘View As’ can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability. Design flaws like this lurk in the mind boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built.”