Well, Facebook’s logo is appearing all over the news sites again today. What is it this time? A breach!
Their investigation is in the early stages, though the security hole was discovered Tuesday afternoon. They did pin the number of affected accounts at “almost 50 million”, but I would take that number with a grain of salt until the investigation has defined the full scope. Facebook has claimed that they have fixed the vulnerability, but the breadth of what was affected will take some time to figure out at this point. They also indicated that they do not know who the attackers are or what they did/intended to do with the information. Oh, they also apologized.
Facebook uncovered the security flaw in their “view as” feature, which allows you to view a page as a different user, to see how it might look different. Without diving too much into the weeds, this vulnerability allowed an attacker to not only view a page as a different user, but obtain their access tokens. These tokens can be further utilized to take complete control of the account and continue pivoting to other users.
What is an access token?
Think of these access tokens as what you get when you’ve already logged in; when you visit a Facebook page, it’s basically what they use to see that you are already logged in. That is to say, they don’t need your password to access your account. This is a normal practice when it comes to web applications. It’s how you verify that a user is still logged in, and the token expires when a user logs out (to prevent that same token from ever being used in a malicious manner). But, if an access token is created or utilized outside of the intended means, it doesn’t set Facebook up for success. It’s access tokens all the way down.
Were you affected?
Facebook claims that they have reset access tokens for the initial ~50 million accounts directly affected, as well as an additional 40 million as a precautionary step. An interesting point here is that if you have to re-login to Facebook on your computer, tablet, or phone, you are in scope of this investigation. Their press release also mentioned that there is no need to change your password at this time (because access tokens bypass that pesky password requirement for account access), so don’t worry there unless you have a terrible password that you should change anyway. This is also a good time to remember what Facebook knows about you if you’re worried what a breach of your account would reveal.
I’m a bit concerned that the VP of product management released the statement rather than, I don’t know, the VP of security? But maybe I’m just being picky.
Were you affected? Let us know!