In case you were wondering what has been going on with Facebook over the past couple of days, since everyone was reporting being logged off and on from the social media platform, today Facebook came clean about it, via a blog post.
Apparently, the “View As” feature, which allows users see how their profile looks to others, had a flaw, which allowed hackers to steal the access tokens to the accounts. What flaw and how stealing the tokens was possible was not disclosed by Facebook.
In order to establish order, Facebook reset the access tokens to the almost 50 million accounts that had been affected, and forcibly logged them out not only on Friday but also throughout the weekend.
Facebook has stated that they are resetting the access tokens for another 40 million accounts, adding up to 90 million users who will have to log back on the Facebook website or through their Facebook app. After logging back in, the users will get a notification in their News Feed that will inform them about what happened.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
The security update will not ask people to change their passwords though and the blog post states that they have ‘only just started [their] investigation, [and] have yet to determine whether these accounts were misused or any information accessed.’
Even so, a lot of people are considering deactivating their Facebook accounts, especially since this is not the first security controversy the social media platform has faced this year.
Rohit Chopra, a commissioner for the Federal Trade Commision tweeted just three words that are, understandably, on everyone’s mind:
At the time this article is being written, the “View As” feature is still inaccessible.