Facebook disclosed on Friday, September 28, that attackers had exploited a flaw in its code that allowed them “to steal Facebook access tokens which they could then use to take over people’s accounts.”
Some 50 million user accounts are known to be affected by the theft of their access tokens. These “digital keys” keep users logged in to Facebook and spare them the inconvenience of having to re-enter their password every time they want to use the site.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’,” reads the note by Guy Rosen, Facebook’s vice-president of product management. The commonly-used “View As” tool allows users to view their own profile as though they were someone else.
As later revealed by Facebook, the attack leveraged three distinct bugs in combination. The security hole has been patched, and the “View As” feature has been turned off for the time being.
Facebook, which has over 2.2 billion monthly users, said that the attack was uncovered by its engineers on September 25 following an internal probe that had been triggered by an unusual spike in use of the “View As” tool.
With the investigation still under way, it remains unclear whether the accounts were misused or any private information contained therein was compromised. The identity or the motivations of the attackers aren’t known, either.
Are you affected?
Facebook has revoked access tokens for the known 50 million victims – which reportedly include CEO Mark Zuckerberg and COO Sheryl Sandberg themselves.
In addition, Rosen said that Facebook has also taken “the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a ‘View As’ look-up in the last year”.
As a result, the 90 million users will have to log back into their Facebook accounts – or, indeed, into any other online service that they access through Facebook login. This is because the stolen tokens could also be used to access third-party apps and websites if the users logged into them using their Facebook username and password. A host of big names such as Facebook’s own Instagram, as well as Spotify or Tinder, provide that option.
“After they have logged back in, people will get a notification at the top of their News Feed explaining what happened,” wrote Rosen.
What (else) to do?
Even if you weren’t affected, logging out and back into your account won’t hurt, as that will work to reset your access token. This is also a good opportunity to review your security settings by navigating to Settings, then to Security and login, and then to the Where you’re logged in section. If you spot any unfamiliar devices or sessions in the list, you can kill those sessions lickety-split. You can also set up Facebook’s “alerts about unrecognized logins”.
Additionally, in the Apps and Websites section, you can review what other apps or websites you log into using your Facebook credentials and potentially unlink Facebook from those services.
If you’re extra cautious, you may also want to change your password – although Facebook says that there is no need for you to do so – while making sure that you pick a strong and unique password. It is always prudent to turn on two-factor authentication, if you haven’t already.
In addition, watch out for possible phishing attacks taking advantage of this incident where miscreants may attempt to pose as Facebook in a bid to trick you into clicking a malicious link or downloading a weaponized attachment.
Last, but certainly not least, you may want to exercise caution when sharing private information on social media in general.