Security issue exposed 50 million Facebook accounts to hackers

Facebook suffered its worst security breach ever after its engineering team found out about a security issue which affected almost 50 million accounts. 

The security issue stemmed from a change that Facebook made to its video uploading feature in July 2017, which affected the "View As" feature. "View As" is a privacy feature that allows you to see what your own profile looks like to someone else. One version of "View As" incorrectly provided the opportunity to post a video, which led to the second security bug.

The second security bug incorrectly generated an access token that had the permissions of the Facebook mobile app. The third security bug is when the video uploader appeared as part of "View As", the access token is generated for the user that you were looking up.

The combination of these three bugs made the access token available in the HTML of the page, which hackers can extract and exploit to login as another user. Using the same method, hackers can perform the same actions to obtain more access tokens. 

Facebook states that it has fixed the security issue and reset the access tokens of the almost 50 million accounts which are affected to protect their security. As a precautionary measure, it will reset the access tokens of another 40 million accounts that have been subjected to a "View As" lookup in the past year. The "View As" feature has been disabled while Facebook conducts a thorough security review. 

A Facebook spokeswoman revealed that the accounts of Chief Executive Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg were also affected. Mark described the security breach as "really serious". Two Facebook users have filed a lawsuit against the company in federal court in California. 

Source: Facebook via Reuters 

Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.