Facebook has issued a password reset for around 90 million users, after a flaw was found in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else.
According to a statement by Guy Rosen, VP of product management at Facebook, the flaw was discovered on Tuesday 25th September, and affected almost 50 million accounts. He said that the flaw would have allowed an attacker steal Facebook access tokens which they could then use to take over people’s accounts.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he said.
Rosen confirmed that the vulnerability has been patched, and access tokens have been reset for the 50 million, and another 40 million as a precaution.
Rosen said: “This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
He admitted that it was not clear if the accounts were accessed, or who was behind it, but law enforcement had been informed.
He said: “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
Oleg Kolesnikov, director of threat research and cybersecurity analytics at Securonix, said that it appears that the security issue was a result of a code change made to the video uploading feature on Facebook in July of 2017.
Sam Curry, chief security officer at Cybereason, said: “In the big picture this is just another day and another breach and once again 'privacy' is the victim. Whether 50 million, 100 million or 1 billion Facebook users were compromised is immaterial, as the real issue with any compromise is that this is another blow to our collective privacy.
“Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over. Today, consumers are reminded again to watch their identities and credit for abuse."
Tim Mackey, senior technical evangelist at Synopsys, said: “Because this issue impacted ‘access tokens’, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications,” he said.
“If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook.”
A spokesperson for the National Cyber Security Centre said: "There is no evidence that people have to take action such as changing their passwords or deleting their profiles.
“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
The news comes at the end of a particularly bad week for Facebook, after Instagram's founders resigned from the company, and WhatsApp's founder Brian Acton criticized the company in an interview.