Facebook admitted on Friday that an attack had exposed the personal information of nearly 50 million users on its network.
The company said, its engineering team discovered this breach have found that attackers had exploited the ‘View As’ feature that allowed them to take over users accounts.
The vulnerability leaked Facebook’s access token which is equal of digital keys to gain access to users’ accounts, added Facebook. Digital keys let people keep logging in to their Facebook accounts so they don’t need to re-enter their password every time they use the app.
The affected “View As” allows users to view what their own profile looks like to someone else.
Facebook said it has fixed the vulnerability and notified law enforcement officials. The firm says it has taken three steps to mitigate this issue.
The first measure was to patch the vulnerability, and second, it reset access tokens of all 50 million accounts affected to protect their security. In addition, it also reset access tokens of another 40 million accounts which have been subject to a “View As” look-up in the last year.
This will result in almost 90 million users need to login back to Facebook or any apps that use Facebook Login said Facebook.
These affected accounts will get a notification explaining what has happened at the top of their News Feed.
And, third, the company has temporarily disabled the “View As” while it conducts a thorough security review.
The company explaining the exploit said, “this attack was stemmed from a change they made to video uploading feature in July 2017, which affected View As.” “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” explained Facebook.
“We’re taking it really seriously” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”
Furthermore, the company apologies for the incident said people’s privacy and security is very important to them as well as clarified that users don’t need to change their passwords.
But, those having trouble in logging back should check out Faacebook’s Help Center.
And, for any precautionary action sought of logging out of Facebook, can see “Security and Login” section in settings.
This lists all the places a user has logged onto Facebook and lets them log out of them all with a one-click.
Following Facebook Connect security breach, the company has created a tool that let developers manually identify affected users of [their] apps, and log them out.
Developer using official Facebook SDKs, and regularly check the validity of their users’ access tokens were automatically protected when Facebook reset people’s access tokens.
However, those who does not use SDKs or regularly check the validity of access tokens are required to follow the guideline below:
- Use the Graph API to keep information updated regularly and always log users out of apps where error codes show that any Facebook session is invalid.
See more on Facebook Login security in this best practices: