SUMMARY
The vulnerability was the result of a complex interaction of three distinct software bugs that impacted Facebook “View As”
It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts
The attack did not include Messenger, Instagram, WhatsApp, Oculus, payments, etc
World’s most-used social media platform Facebook has clarified that accounts of 30 Mn users were actually affected in the recent security breach.
Last month, the California-based social media giant had reported that 50 Mn Facebook users’ accounts were affected.
Facebook product management vice-president Guy Rosen posted a blog stating: “We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”
On September 14, Facebook engineers had detected some unusual activity on the social media platform’s networks. It was a hack that exploited the vulnerability in its code that impacted “View As”, which shows users how his/her profile looks to the public or when viewed as a specific person.
According to Rosen, the vulnerability was the result of a complex interaction of three distinct software bugs that impacted “View As”.
“It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen said.
Within two days after Facebook determined this was actually an attack, it closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. It also turned off “View As.”
According to Facebook, here’s how the social media found the attack that exploited this vulnerability:
- First, the attackers already controlled a set of accounts, which were connected to Facebook friends
- They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people
- The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 Mn people
- For 15 Mn people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles)
- For 14 Mn people, the attackers accessed the same two sets of information, as well as other details people had on their profiles, including username, gender, locale/language, relationship status, religion, hometown, current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into, etc.
- For one Mn people, the attackers did not access any information.
“Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers,” Rosen said.
People can check whether they were affected by visiting Facebook’s Help Center. The social media will be soon sending a customised messages to all the 30 Mn people whose accounts were affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.
Photo Credit: Facebook. Customised messages that people will see depending on how they were impacted
Facebook has, however, confirmed that this attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
After a week Facebook reported the hack, India’s ministry of electronics and IT (MEITY) on had written to Facebook to “quantify the impact on its users in India” with a detailed report.
Responding to the government’s query, Facebook has sought more time to determine as to what extent users in India were affected by the hack. It has reportedly sent two emails on the matter.
In the blog, Rosen further wrote: “We’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities, as we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks.”
