Just recently, Facebook disclosed a massive hacking attack on 50 million accounts. To mitigate the attack, Facebook had to reset access tokens for about 90 million user accounts, adding 40 million more accounts as a precaution. According to the initial reports, the attack took place because of a vulnerability in the Facebook “View As” profile feature. Nonetheless, in a press conference held later, Facebook pointed out three different bugs responsible for the massive account hacks.
Three Different Bugs Let The Attackers Hack 50 Million Facebook Accounts
Facebook recently confessed to a major hacking incident affecting roughly 50 million user accounts. According to the initial disclosure, hackers exploited a vulnerability in the Profile “View As” option, stealing user access tokens. This allowed the hackers to take over the accounts as the users without the need to log in.
At that time, Facebook stated that the investigations remained in progress in order to further investigate. Later that day, Facebook conducted a press conference. There, they highlighted three different bugs that triggered Facebook account hacks. These vulnerabilities existed in the new Video Uploader version, along with the “View As” feature which were present for around a year. Together, these three bugs facilitated the hackers to take over accounts.
The following was stated in Facebook’s security update regarding the vulnerabilities,
“First: View As is a privacy feature that lets people see what their own profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.
Second: A new version of our video uploader (the interface that would be presented as a result of the first bug), introduced in July 2017, incorrectly generated an access token that had permissions of the Facebook mobile app.
Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.”
The Story Continues…
In the press conference, Guy Rosen, Facebook’s Vice President of Product Management, and Nathaniel Gleicher, Facebook’s Head of Cybersecurity Policy, gave detailed answers to various questions whilst explaining the technicalities.
According to Rosen, the three bugs arose back in July 2017, when Facebook launched the new video uploader. While Facebook discovered the 50 million account hacks on September 25, 2018, they were already suspicious upon noticing a sudden spike in the traffic on September 16, 2018. Although they began investigating the matter since then, the hackers were quick to exploit the vulnerabilities.
Facebook has begun notifying the affected users about this incident after they reset access tokens. Rosen said in the press conference while answering a question,
“To clarify, 50 million are the accounts are the accounts that we’ve confirmed have been affected by this attack and the additional 40 million are users who have interacted with that View As product where the vulnerability existed. We’re taking a — as a — out of an abundance of caution — the step of resetting their access tokens as well.”
What About Instagram And WhatsApp?
Facebook officials confirmed in the press conference that the three different bugs directly affected Facebook. They did not directly impact any other apps. However, those Instagram users having linked Facebook accounts need to unlink and then relink their accounts. As stated by Guy Rosen,
“If you have a Facebook account that has been affected which is linked to an Instagram account, what you have to do today is to unlink and relink that account to Instagram.”
“There was no impact on any WhatsApp users at all.”
For now, Facebook officials said they are “still early in investigations” to confirm the impact of this incident on the users globally. Nor they could state anything regarding the hackers yet. However, they confirm that they have informed law enforcement authorities, and will keep updating the public over this matter.