Facebook has recently issued a password reset options to people around 90 million users on facebook, after a flaw that was discovered in Facebook’s code that impacted “View As”, a feature which let the people to see what their own profile looks like to someone else.
A statement that was released by Guy Rosen, VP of a product management at Facebook, the flaw which was discovered on Tuesday 20th September, and it has affected more than 50 million accounts. He said that this flaw can easily allow any attacker to steal the Facebook access tokens which then they can use this token to take over people’s accounts.
“Access tokens are the equivalent of digital key that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he said.
Rosen has successfully confirmed the vulnerability has been patched, and the access tokens have been reset for almost 50 million users, and another 40 million as precaution.
Rosen Said: “This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from the account to others to steal more tokens.”
He also admitted that it is not yet clear that if the accounts were access, or who was behind this, but the law enforcement has been informed.
He Said: “People’s privacy and security is incredibly important, and we are sorry this happened. It’s why we have taken immediate action to secure these accounts and let users know what happened.”
Oleg Kolesnikov, the director of threat research and cybersecurity analytics at Securonix, said that it appears that security issues that was a result of a code which were change made back to video uploading feature on Facebook in July 2017.
Sam Curry, chief security officer at Cybereason, said: “In the big picture this is just another day and another breach and once again ‘privacy’ is the victim. Whether 50 million, 100 million or 1 billion Facebook users were compromised is immaterial, as the real issue with any compromise is that this is another blow to our collective privacy.
“Today, consumers should be working under the assumption that their private information has been stolen by hacker ten times over. Today, consumers are reminded again to watch their identities and credit for abuse.”
Tim Mackey, senior technical evangelist at Synopsys, said: “Because this issue impacted ‘access tokens’, it’s worth highlighting that these are the equivalent of a username and password compbination but are used by applications to authenticate against other applications,” he said.
“If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they have granted access rights to within Facebook.”
A spokesperson for the National Cyber Security Centre said: “There is no evidence that people have to take action such as changing their passwords or deleting their profiles.”
“However, users should be particularly vigilant to possible phishing attacks; as if the data has been accessed it could be used to make scam messages more credible.”
The news comes at the end of the particularly bas week for Facebook, after the Instagram’s founder resigned from the company, and the WhatsApp’s founder Brain Acton criticized the company in an Interview.