
Facebook disclosed Friday that attackers exploited a vulnerability in the social media giant's code to potentially take over nearly 50 million people's accounts.
The Menlo Park, Calif.-based company said the vulnerability discovered in Facebook's code Tuesday impacted "View As", a feature that lets people see what their own profile looks like to someone else, according to a post by Guy Rosen, VP of product management, on the company’s website. This allowed the bad actors to steal Facebook access tokens, which they could use to take over people's accounts.
Rosen said access tokens are the equivalent of digital keys that keep people logged into Facebook so that they don't need to reenter their password every time they use the app.
[Related: 'Sorry, Something Went Wrong': Facebook Hit By Outage]
"We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security," Rosen said.
Facebook has yet to determine whether the affected accounts were misused or any if any information was accessed since the company had only just started its investigation, Rosen said. In addition, Rosen said Facebook doesn't know who's behind these attacks or where they're based.
The issues stem from a change Facebook made to its video uploading feature in July 2017, which impacted "View As." Once the attackers had found the vulnerability and used it to get an access token, Rosen said they then had to pivot from that account to others to steal more tokens.
In response, Rosen said Facebook had fixed the vulnerability and notified law enforcement. The social networking services has not only reset the access tokens of the almost 50 million accounts Facebook knows were affected, but also took the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the past 12 months.
In addition, Rosen said Facebook has temporarily turned off the "View As" feature while it conducts a thorough security review.
"People's privacy and security is incredibly important, and we're sorry this happened," Rosen said. "It's why we've taken immediate action to secure these accounts and let users know what happened."
Allowing websites or applications to automatically authenticate a user without requiring biometrics or even a password poses a huge, significant danger, according to Michael Crean, president of Woodbridge, Va.-based Solutions Granted.
Crean said users should refrain from allowing machines, websites or applications to remember their user name and passwords and provide unfettered access to whoever is purporting to control the account. Instead of remained logged into a service, Crean recommended that users rely on a password management tool like LastPass to store their login information for all of their different accounts.
"When that [the authentication] gets compromised, the attacker is given a free ride and access to whatever they have privilege to access," Crean said.
related stories
trending stories
Video
sponsored resources

NetApp
NetApp Data Driven Learning Center

Vertiv
Edge Computing 360

Best of Breed Showcase

Annual Report Card Showcase

NexGen Showcase

Cloud PPG Showcase

100 People You Should Know Showcase

APC by Schneider Electric
IoT Platforms 360

Silver Peak
Silver Peak Learning Center

NPD
Industry Trends 360

Comcast
Comcast Business Learning Center

AT&T Cybersecurity
Cloud Security 360

ConnectWise
ConnectWise

Symantec
Symantec Business Security Learning Center

RSA
RSA

Eaton
Eaton Learning Center

BlackBerry Cylance
BlackBerry Cylance Learning Center

Storagecraft
Disaster Recovery Learning Center

Lenovo
Lenovo Learning Center

ID Agent
Managed Security 360

Wasabi
Wasabi

Sophos
Sophos Cybersecurity Learning Center

Scale Computing
Scale Computing Learning Center

SonicWall
Network Security 360

Cohesity
Cohesity Learning Center

Dell EMC
Software-defined Data Center 360

Sherweb
Cloud Partner Programs 360
Women of the Channel Showcase

Carbonite
Cloud Storage 360

HP Inc.
HP Toner and Ink
