Social networking behemoth Facebook has announced a breach which has compromised at least 50 million user accounts, and appears to extend to third-party services which use Facebook's single sign-on (SSO) system for authentication.
Announced late Friday, the security breach has been blamed on a flaw in the site's 'View As' functionality which allows users to see how their profile looks to others - and, apparently, allowed attackers to make off with account access tokens, giving them full access to the affected accounts as though they were the logged-in user.
'Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement,' explains Facebook vice president of product management Guy Rosen in the company's announcement of the breach, which was detected on September 25th - three full days before Facebook made the breach public. 'Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened. Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.'
Facebook's preliminary analysis of the flaw suggests it was opened during changes made to the site's video upload system in July 2017, generating access tokens as the user being targeted by the 'View As' system rather than the actual logged-in user and making them available in the HTML source of the page.
It's a serious flaw: Not only do the access tokens provide access to Facebook itself, but to any third-party site which uses Facebook's single sign-on (SSO) system - many of which, like music streaming service Spotify, handle financial details. It also covers Facebook users located within the European Union, meaning it exposes the company to fines under the General Data Protection Regulation (GDPR) of up to four percent of its annual global turnover - £1.25 billion, based on its 2017 figures.
Facebook's investigation continues.
April 3 2020 | 14:09