Facebook has just come out with news that a security flaw on the website has given hackers access to data from over 50 million user accounts. Facebook has clarified that the security breach originated from the ‘View As’ feature that Facebook has, which allows users to look at a template of their profile as it would appear to a visitor. Hackers were able to exploit the code that was associated with this feature and stole ‘access tokens’ which could be used to take control of the user accounts.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.” Read the blog by Guy Rosen, VP of product management at Facebook.
Facebook has ways to log into an account without having to enter a password and ‘Access tokens’ are a part of that system. And Facebook logged out around 90 million users from their accounts just to be on the safer side.
Facebook has said that it found out about this attack earlier this week and has on its part, informed the necessary law enforcement agencies. The company has clarified that it does not yet know who was behind this attack and is holding an investigation of its own into the matter.
Guy Rosen explained, “We face constant attacks from people who want to take over accounts or steal information around the world,” CEO Mark Zuckerberg said in a Facebook post. “While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
Facebook’s latest security breach comes after the company already faced some harsh music for the Cambridge Analytica scandal in March. And multiple state governments have on their part questioned Facebook’s ability to keep the data of its users safe.
WATCH: Apple iPhone XS, XS Max, and XR First Look
The security flaw behind the present breach was apparently caused by a change that was incorporated in July 2017, when Facebook adjusted how users could upload videos. Facebook is yet to estimate the total damage done in this attack. More to come as Facebook clarifies things soon.
Saket Modi, who is the CEO & co-founder of Lucideus, a Cyber Security company explained to BGR India what this breach is about and said, “If you’ve ever wondered what keeps you logged into your account even after you restart your laptop/browser – those are access tokens (cookies). They maintain a constant session even when your IP (or even MAC Address) changes. In this case, hackers were able to steal these tokens of nearly 50 Million Facebook users(targets), which basically means the hacker could fool Facebook servers to believe they are the authorized users of the target’s account that would give the attacker, complete access of the target’s account.”
As for how this breach will be affecting the users of Facebook, Saket Modi says, “Facebook would have a log of the number of user profiles this feature was used to access, whose tokens they have reset (or expired the session of the previous one) as per their statement. However, we don’t know for how long the vulnerability existed, who the hacker(s) were and the extent of damage that might have been caused in terms of stealing not only one’s profile data(which was in the case of Cambridge Analytica) but in this case potentially the personal messages, every picture (even the ones hidden from friends / public), chats on messenger among others.”
And as for what Facebook users should do to be on the safer side, he suggests, “As a precaution, I recommend all Facebook users to log out and re-login into all the gadgets that you have your Facebook session active like your cell phone (app or browser), laptop, desktop etc.”