Turbotodd

Ruminations on tech, the digital media, and some golf thrown in for good measure.

Facebook Security Flaw

leave a comment »

The New York Times is reporting that Facebook said today an attack on its computer network led to the exposure of information from nearly 50 million of its users.

Facebook said it discovered the breach earlier this week, “finding that attackers had exploited a feature in Facebook code that allowed them to take over user accounts.”

The Times reports that Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack, and is in the beginning stages of its investigation.

Here’s Facebook’s detailed explanation of the exploit and the actions it says it has taken:

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement.

Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

The Times goes went on to write that:

One of Facebook’s most significant challenges has been convincing its users that it is responsible enough to handle the incredible wealth of data the company handles. More than 2 billion people use Facebook every month, and another two billion separately use WhatsApp, a messaging app owned by Facebook, and Instagram, the Facebook-owned popular photo-sharing app.

You know the drill.  Check your password, change it, etc ad nauseum ad infinitum.

Written by turbotodd

September 28, 2018 at 12:22 pm

Posted in 2018, cybersecurity

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: