Facebook succumbed to a security issue on Tuesday, Sept. 25 that affected the accounts of nearly 50 million FB users.

The security breach stemmed from a vulnerability in Facebook’s code for the “View As” feature, which is normally used to let people see what their profile looks like to another user.

“This allowed them[the cyber-attackers]  to steal Facebook access tokens which they could then use to take over people’s accounts,” Guy Rosen, VP of Facebook’s Product Management, wrote in a news release.  “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

As of this time of writing Facebook has fixed this vulnerability and informed law enforcement of the cyber-attack. Facebook also reset the access tokens of the 50 million accounts that were affected by the vulnerability, resulting in many users being signed out of their accounts, as well as reset the access tokens of 40 million other accounts that were looked up using the “View As” feature within the past year.

Actions Taken By Facebook

As the social media company investigates further into the issue they temporarily turned off the feature until a thorough security review has been conducted.

“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As,” Rosen wrote. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

How Did The Vulnerability Happen?

The vulnerability caused by the video uploader bug exposed the access tokens in HTML, stemming from an update in the video uploader that allowed the “View As” feature to post a video in a content composer which specifically enables people to wish their friends happy birthday.

“When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up,” wrote Pedro Canahuati, Facebook VP of Engineering, Security and Privacy.

By taking advantage of this vulnerability, attackers were able to pivot from that access token and obtain the access tokens of other accounts using the same method.

It is yet to be determined as to whether the affected accounts were misused, if any information was accessed or the identity of the involved parties behind the security breach.

Previous Facebook Security Breaches

Facebook has come under heavy flak in 2018 with the largest data breach in its history occurring through the leak of more than 87 million users that may have influenced the 2016 presidential election.

While the Cambridge Analytica scandal is the largest data privacy breach in Facebook’s history, other online marketers have abused the system in similar ways as written by Alexandria Samuel on The Verge:

“If Facebook’s generous access to friend data was known to many marketers and software developers, so was the tactic of disguising data grabs as fun apps, pages, or quizzes,” she wrote.

The article cites many references to marketers and the tactics they used to gain data from users on the platform, but Sam Weston, a communication consultant in digital marketing and market research, said “We were all conscious that friend data was accessible. I don’t think that anybody had perspective on the potential consequences until it was slotted into this news story, where the consequence may have been the election of Donald Trump.”

“It is actually stunning to think, with the clarity that perspective brings, that you could stand up the kind of ridiculous quiz or survey that they did and then walk away with psychographic profiles on 50 million Americans. Even for someone who worked in the field, [the Cambridge Analytica story] was a moment that gave you real pause to reflect on the business that we walked away from, but that was a massive part of the industry for a long time,” he continued later in the article.

Facebook is currently taking several actions to prevent a similar incident from occurring in the future including:

  • Safeguarding the platform
  • Investigating other apps
  • Creating better controls and technology to prevent abuse
  • Removing fake accounts and pages produced by spammers
  • Hiring 15,000 people for security and content review
  • Strengthening advertising practices through transparency and page verification
  • Sharing information and cooperating with governments