The Facebook Hacked was discovered on the afternoon of Tuesday, September 25th. The security of about 50 million account holders have been compromised. This discovery was made by the engineering team of Product Management. The VP of Product Management wants all the account holders to know that after the Facebook Hacked came to light, they are taking the issue very seriously. They want the users to be aware of the Facebook Hacked and that they will be taking prompt action to safeguard the user’s accounts and details.
Though the investigation regarding the Facebook Hacked is in its initial stage, it is quite clear that the hackers have found a way to access the user’s accounts. It is thought to be a vulnerability in the Facebook’s code which impacted the ‘View As’ feature. This feature of Facebook allows the users to see what their personal profile looks to others. The hackers could steal Facebook access tokens which enabled them to take over and operate the Facebook user’s accounts. The access tokens are actually the digital keys wherein a Facebook user can remain logged in without any need to re-enter their password every time they need to use the app.
The primary action towards the Facebook Hacked was that the law enforcement agencies have been informed and the vulnerability has been fixed.
The access tokens of the affected 50 million accounts have been reset in order to protect the user’s security. As a precautionary measure, the access tokens of about 40 million accounts which have been subject to ‘View As’ in the past 1 year have been reset.
Due to the Facebook Hacked, at least 90 million users will now have to log in to Facebook or any other apps that use Facebook Login again. After this is done, the users will receive a notification at the top of their News feed explaining about the Facebook Hacked.
The ‘View As’ feature is temporarily turned off so that they can conduct a thorough investigation to figure out where the breach occurred. They have yet to see if any of the user’s accounts were misused or any personal information accessed. It is also not clear who is behind these attacks and where the hackers are based. If they find that there are more accounts that have been affected, then the access tokens willbe reset immediately.
Only last week some additional details came to light. The vulnerability of the system was exploited and the Facebook access tokens for the user’s accounts in HTML were exposed. This happened as a result of three bugs.
The ‘View As’ feature which is a privacy feature allows people to see what their profile looks like to others. ‘View As’ is a view only interface. The box that allows you to wish your friends on their birthdays, with the ‘View As’ feature incorrectly enabled it to post a video.
In the second instant, the new version of the video uploader, (which appears due to the first bug) that was introduced in July 2017, gave an access token that had the accessibility of the Facebook mobile app.
Thirdly, when the video uploader appeared, it provided the access token not to you as the viewer, but for the user you were looking up.
All these three bugs combined became a vulnerability when the ‘View As’ feature was used to see your profile as a friend, the code did not remove the person that allows people to wish you; the access token was generated with the video uploader and the access token was not for you but for the person being looked up.
The access token was present in the HTML which the hackers extracted and could log in as another user. They could then access other accounts and get more access tokens.
Though the investigation regarding the Facebook Hacked is in its initial stage, it is quite clear that the hackers have found a way to access the user’s accounts. It is thought to be a vulnerability in the Facebook’s code which impacted the ‘View As’ feature. This feature of Facebook allows the users to see what their personal profile looks to others. The hackers could steal Facebook access tokens which enabled them to take over and operate the Facebook user’s accounts. The access tokens are actually the digital keys wherein a Facebook user can remain logged in without any need to re-enter their password every time they need to use the app.
Action taken towards Facebook Hacked
The primary action towards the Facebook Hacked was that the law enforcement agencies have been informed and the vulnerability has been fixed.
The access tokens of the affected 50 million accounts have been reset in order to protect the user’s security. As a precautionary measure, the access tokens of about 40 million accounts which have been subject to ‘View As’ in the past 1 year have been reset.
Due to the Facebook Hacked, at least 90 million users will now have to log in to Facebook or any other apps that use Facebook Login again. After this is done, the users will receive a notification at the top of their News feed explaining about the Facebook Hacked.
The ‘View As’ feature is temporarily turned off so that they can conduct a thorough investigation to figure out where the breach occurred. They have yet to see if any of the user’s accounts were misused or any personal information accessed. It is also not clear who is behind these attacks and where the hackers are based. If they find that there are more accounts that have been affected, then the access tokens willbe reset immediately.
Further Details regarding the Facebook Hacked
Only last week some additional details came to light. The vulnerability of the system was exploited and the Facebook access tokens for the user’s accounts in HTML were exposed. This happened as a result of three bugs.
The ‘View As’ feature which is a privacy feature allows people to see what their profile looks like to others. ‘View As’ is a view only interface. The box that allows you to wish your friends on their birthdays, with the ‘View As’ feature incorrectly enabled it to post a video.
In the second instant, the new version of the video uploader, (which appears due to the first bug) that was introduced in July 2017, gave an access token that had the accessibility of the Facebook mobile app.
Thirdly, when the video uploader appeared, it provided the access token not to you as the viewer, but for the user you were looking up.
All these three bugs combined became a vulnerability when the ‘View As’ feature was used to see your profile as a friend, the code did not remove the person that allows people to wish you; the access token was generated with the video uploader and the access token was not for you but for the person being looked up.
The access token was present in the HTML which the hackers extracted and could log in as another user. They could then access other accounts and get more access tokens.
