Facebook said attackers exploited a vulnerability in its code that let them steal access tokens when users switched over to a public profile view via the "View As" feature.
This article originally appeared on ZDNet.
Facebook on Friday disclosed a breach of its network that affected almost 50 million user accounts. The social networking giant said that attackers exploited a vulnerability in Facebook's code that let them steal access tokens when users switched over to a public profile view via the "View As" feature. The access tokens allowed the attackers to take over user accounts — however it's still unclear whether user data was accessed and misused.
Facebook said it has secured its network and user accounts since engineering discovered the attack on September 25. The vulnerability was fixed and Facebook said it has notified law enforcement.
SEE: Network security policy (Tech Pro Research)
Meantime, the company has reset the access tokens on all of the affected user accounts, as well as on another 40 million accounts that were subject to a "View As" look-up in the last year.
Anyone impacted by the reset will need to log back in to Facebook and on any apps that use Facebook Login. Once logged back in, affected users will see a notification at the top of News Feed alerting them to the incident.
Facebook has also disabled the "View As" feature while it conducts a security review.
"Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Facebook said in a blog post. "We also don't know who's behind these attacks or where they're based. We're working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens."
- A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
- Facebook's new privacy settings: Look out for these shortcuts, data delete options (ZDNet)
- Europe's top court has just blown a big hole in Facebook's fan-page terms (ZDNet)
- Facebook's fake account crackdown: Our AI spots nudity, hate, terror before you do (ZDNet)
- Google secretly logs users into Chrome whenever they log into a Google site (ZDNet)