At Least Fifty to Ninety Million Facebook User Accounts’ Access Tokens Compromised ⇥ theguardian.com
Julia Carrie Wong, the Guardian:
Nearly 50m Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts, Facebook revealed on Friday.
The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook. Those users will be logged out of their accounts and required to log back in.
[…]
The security breach is believed to be the largest in Facebook’s history and is particularly severe because the attackers stole “access tokens”, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.
Lorenzo Franceschi-Bicchierai and Jason Koebler, Vice:
“Parts of our site use a mechanism called single sign-on that creates a new access token,” Guy Rosen, Facebook’s vice president of product management, told reporters on a press call. “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”
The hackers took advantage of three distinct vulnerabilities chained together in order to steal the tokens, Rosen said.
The vulnerabilities have existed since at least July 2017 and were related to Facebook’s “View As” tool, which allows you to view your own profile as if you were someone else (this is a privacy feature—it allows, for example, you to check whether your ex, or grandma, or anyone who you want to hide things from can see certain posts on your page.)
Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.
Who thought it was a good idea to allow basically one company, for which the most infamous slogan is “move fast and break things”, to grow to unprecedented scale with the personal information of billions of users and non-users with little to no regulation or oversight?