A loophole making interception of the user's access tokens possible was found in the code of the “View as” feature on the social network’s website. The company reported this on its official news blog. Access...
A loophole making interception of the user's access tokens possible was found in the code of the “View as” feature on the social network’s website. The company reported this on its official news blog.
Access tokens eliminate the need to enter a password every time after closing the browser or when opening a new tab. However, as the practice shows, developers are not always able to combine the proper level of security and usability of the service.
Facebook stated that the company temporarily disables the "View As" feature to sort out the problem. Sessions of 50 million users have been forcibly terminated since attackers could exploit the bug and log into other user's accounts. Thus, essential user data could be compromised, for example, bank accounts linked to a profile.
Apparently, the vulnerability is present for a long time. Later, the social network forcibly logged out another 40 million users who could be at risk during this year.
An important question is whether it was possible to use other people's records with the help of a bug to access tens of thousands of websites that support authorization via Facebook.
A Facebook spokesman confirmed that technically attackers could exploit the vulnerability in order to log in to third-party services, but so far no such incidents have been known.
Facebook advises its users to change passwords, as well as to look carefully where have they logged in and which devices have they used to enter the account recently. This information can be found on the relevant page in the settings. If you notice that someone has logged in from a suspicious device or from a place where you have not been, you can forcibly terminate the session on all the logged devices.
The 2018 turned out to be quite difficult for Facebook. The previous reputational blow was the scandal with a tens of millions of users data leak which occured through the British company Cambridge Analytica. Back then, Facebook shares fell sharply by more than 7%, a flashmob #DeleteFacebook appeared in the network, and Mark Zuckerberg had to make an apology in the US Senate to regain investor confidence.
Share this with your friends!