By Sam Dean, Los Angeles Times
Nearly 50 million Facebook accounts have been affected by a security breach that enabled hackers to take over users’ accounts, the social media giant announced Friday.
The new breach comes as Facebook strives to convince its more than 2 billion users that it can be trusted. It is grappling with the fallout from the revelation that British consulting firm Cambridge Analytica harvested the personal data of up to 87 million users, as well as the revelation that it unwittingly played host to a massive Russian misinformation campaign during the 2016 U.S. elections.
The new vulnerability was discovered Tuesday afternoon and has been patched, Facebook said.
“Attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else,” the company said Friday in an online post. “This allowed them to steal Facebook access tokens” – which gave attackers full access to user profiles, as if the hackers were those users.
“This is a really serious security issue, and we’re taking it really seriously,” Facebook Chief Executive Mark Zuckerberg told reporters on a phone call Friday. “We need to be more proactive about defending our community.”
No password or credit card data were stolen, Guy Rosen, Facebook vice president of product management, told reporters. He said it was unclear whether the attackers had accessed private messages or posts and whether they had posted from hacked accounts.
Access tokens keep people logged in to the social network so they don’t have to log back in every time they open the app, visit the website or use third-party services that rely on their Facebook logins.
Facebook said it has reset the tokens of all affected users and, as a precaution, of 40 million additional users who had used the View As feature in the year since the vulnerability was introduced. The reset in effect logged them off. They will have to log back in next time they use the service.
The company said it is in the early stages of its investigation into the issue, and has reported the breach to the FBI and to Irish law enforcement agencies. At this point, Rosen said, the company has not determined who orchestrated the attack, where it came from or whether it had targeted a particular subsection of Facebook’s users.
Facebook discovered the attack after detecting an unusual leap in user activity Sept. 16, and its investigation revealed the nature of the attack this Tuesday, Rosen said. He said that on Wednesday, Facebook notified law enforcement agencies and began patching the vulnerabilities, finishing Friday morning.
Rosen said the attackers exploited a vulnerability in Facebook’s code that took advantage of three separate bugs that were introduced over a year ago, when engineers updated the video upload feature in July 2017, and hinged on reminders to wish friends a happy birthday.
The first bug caused the video uploader to create an access token – strange, but by itself not a major risk, since users already had to be logged in to use the video uploader, which meant that they already had a token on their device.
The second bug is where birthdays enter the picture. The View As function let users see their profile pages as if they were someone else, in order to determine whether their privacy settings were to their liking. Typically, the video uploader wouldn’t appear in View As mode, but because of the second bug, the video uploader did appear when the page being viewed contained notifications from Facebook urging the user to send birthday messages to friends.
The third bug turned those minor errors into a major security issue. If a user viewed their own profile page as if they were a particular Facebook friend – say, an old roommate – and the video uploader appeared on the page, the uploader would spit out an access token not for the user’s own account, but for the ex-roommate’s. That token provided full access to the ex-roommate’s Facebook account.
Once the hackers gained access to one account, they could then repeat the process with that account’s friends, over and over.
Based on the rapid speed and scale, Rosen said the attack likely involved some degree of automation.
©2018 Los Angeles Times
Visit the Los Angeles Times at www.latimes.com
Distributed by Tribune Content Agency, LLC.