Facebook reported a major security issue affecting around 50 million users. The company discovered a security attack whereby hackers gained access to around 50 million users’ access token, effectively giving them full access to 50 million accounts.
The flaw was reportedly caused by Facebook’s “View As” feature that lets you view your own profile as one of your friends, to better tune your posts’ privacy settings. The feature gave away the access token to attackers, giving them access to the users’ account.
After discovering the attack, Facebook has reset the access tokens of the 50 million users affected, as well as another 40 million users as a precautionary measure. These users will be automatically logged out of their Facebook account, requiring them to re-login into their accounts. Facebook says the company has fixed the issue, though it has temporarily disabled the View As feature to confirm the fix and investigate the attack further.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” the company said in a blog post.
Facebook says it will continue to investigate the attack, as well as the hackers behind the attack. For now, though, it doesn’t know much about the hackers or where they are based, so the investigation will likely take some time. This isn’t the first privacy and security related issue Facebook has run into in the recent months, but this is probably the worst one, so far.