New Facebook vulnerability left 50 million accounts exposed

September 29, 2018

Shortly after confirming the controversial practice of using phone numbers to send targeted ads to Facebook users, the platform discovered a security vulnerability that left at least 50 million accounts at the mercy of hackers.

In a statement, Facebook shared details about a vulnerability in the "View As" feature that allowed hackers to breach Facebook users' accounts. "View As" is what allows users to view their profile as others view it. Facebook's vice president of Product management, Guy Rosen, said the newly identified exploit allowed attackers to obtain passwords, which keep users logged into their accounts across multiple login sessions. These tokens are what will allow attackers to hijack Facebook accounts.

The Facebook investigation is still ongoing. While the loophole has been fixed, it is not clear to Facebook whether the stolen tokens were used and, if so, how many accounts were affected. In any case, Facebook has restored access tokens for 90 million accounts, meaning you may be asked to log back into the platform.

"Here is everything we have done. First, we have fixed the security breach and we have informed the authorities.

Second, we have reset the passwords of the nearly 50 million accounts we know were affected to protect them. We also took the proactive step of resetting the passwords for another 40 million accounts that tested "View As" in the last year. As a result, about 90 million people will now have to log back into Facebook or any of their apps that use Facebook login. Once they've logged back in, users will receive a notification at the top of their updates explaining what happened."

The vulnerability came from changes Facebook made to a feature related to video uploading a year ago.

"This attack exploited the complex interaction of multiple problems in our code. It stems from a change we made to the video upload function in July 2017, which affected 'View as'. Attackers not only had to find this security issue and use it to obtain an access ID, but also decided to turn against other accounts to steal credentials."

Finally, the security update states that users do not need to change their passwords and ends with a brief apology:

"People's privacy and safety are extremely important and we regret what happened. That's why we have taken immediate action to protect these accounts and let users know what happened. No one needs to change their passwords."