A few days ago, it was revealed that attackers were able to exploit a vulnerability in the View As feature of Facebook to gain control of its users’ accounts. It’s estimated that up to 50 million of its users have been affected by the data breach, possibly spread across various regions of the company’s user base.
The View As feature allows a user to see what their own profile looks like when viewed as another person; enabling the user to check what content they post is private, friends-only and so on. However, the breach was later discovered to be caused by three bugs and involving another feature.
The first bug used the View As privacy feature, specifically one type of content that allows friends to wish others happy birthday. View As then incorrectly allowed the opportunity to post a video.
The second bug followed by using the new version of the Video Uploader, which incorrectly issued an access token that had the permissions of the Facebook mobile app.
Finally, the third bug utilised the uploaded video feature as a part of View As, which in turn generated the access token not as the viewer, but instead for user that was being looked up.
50 Million Users
Initially, when discovered on Tuesday 25th September, the company announced that 50 million of its users were now vulnerable. But, in recent days, Facebook has instead reset the access token for nearly 90 million users; including 40 million users as a precaution.
A sudden spike in traffic alerted the Facebook security team, some days earlier on September 16th. As a result, the full extent of the hack was eventually revealed, and the police and other agencies have been informed.
The company has since confirmed that its other apps, WhatsApp and Instagram, are unaffected by the bug. But it is recommended that users of both services need to unlink, then re-link their accounts.
It is unclear at present what the value, or impact the breach will have. While access token have been reset for the users affected, any other data that may have been collected during that time could still potentially be in the hands of the hackers. This information could be sold via various elements on the Dark Web, or simply posted to the likes of PasteBin.
If you’re concerned about your online security, or you want to limit you chances of being hacked – and what to do if you’re hacked – then take a look at our Protect Your PC title. Available to buy from https://bdmpublications.com/buy/windows-10/protect-your-pc-vol-34.