Facebook is in the news once again when it comes to the security of its data as the company reports an issue that impacts some 50 million accounts. According to the company that advises the issue is still under investigation, the attackers appeared to have exploited a vulnerability in Facebook’s code that impacted the “View As” feature that allows people see what their own profile looks like when viewed by someone else.
It appears that the exploitation of this feature allowed the attackers to steal access tokens of Facebook users which then authorized them to take over other people’s accounts. Because the access tokens were intercepted, they acted as a key that allowed the attackers access to people’s accounts without the need to enter a password.
Facebook has since confirmed it has moved to promptly fix the vulnerability and has alerted the law enforcement. It has also reset the access tokens of the 50 million accounts that were compromised. The company also advises that a further 40 million accounts are having the access tokens reset as a precaution to have seen a “View As” request made in the past year to ensure they are no compromised at a later date. So if you have been asked to log into Facebook again in the last few days, then this is the reason why and you’ll be greeted by a nice explanation of what happened by Facebook.
While the company completes its investigation, despite fixing the vulnerability, Facebook has temporarily disabled the “View As” feature as a precaution.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
Facebook naturally apologizes for this security breach, of which you can read the full press release here.
Hacking Mark Zuckerberg’s Page
If a breach of 50 million accounts wasn’t enough publicity for one day, Fortune reports of an indie Taiwanese hacker that claims he is going to live broadcast an attempt to wipe out Mark Zuckerberg’s Facebook page on Sunday.
Bug-bounty hunter, Chang Chi-yuan, who looks for bugs in software in exchange for a cash reward, says he will attempt to delete the Facebook founder’s own Facebook page, and he’ll live stream the effort for all to see from his own Facebook page.
“Broadcasting the deletion of FB founder Zuck’s account,” the lanky youngster, who turns 24 this year based on past interviews, told his 26,000-plus followers on Facebook this week. “Scheduled to go live.”
While exposing loopholes in websites or software is nothing new, and it seems that this particular hacker is in the business of doing so, what is out of the ordinary is the fact it will broadcast live. Fortune explains that this isn’t the first time Chang has been in the spotlight for his exploits:
Chang, a minor celebrity at home who’s gone on talk shows to discuss his exploits, was reportedly sued by a local bus operator after infiltrating their systems and buying a ticket for just NT$1 (3 cents). He’s published a gamut of claims — none of which could be independently verified — including attacks on AppleInc. and Tesla Inc. And his Facebook account was listed among eight “special contributors” in Line Corp.’s 2016 bug-hunters’ hall of fame.
Whether he can actually delete the Facebook page of Mark Zuckerberg is another thing entirely, but you can watch his attempt here.
Thanks for reading till the end of this article. For more such informative and exclusive tech content, like our Facebook page