On Friday, Facebook’s VP of product management Guy Rosen, coordinating with a Facebook post by founder Mark Zuckerberg, said the company discovered someone had abused access tokens for 50 million users on Tuesday afternoon.
While the impacted accounts only represent a small fraction of the billions of monthly active users worldwide, the incident is still significant, as the abused tokens enable full access to a person’s account.
According to Rosen, the attackers targeted Facebook’s ‘View As’ feature, which allows users to view their profile as someone else. The flaw exploited was introduced when changes were made to Facebook’s video uploading feature in July 2017.
“The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Rosen wrote.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.”
In response to the incident, Facebook has disabled access tokens for all 50 million accounts that were affected, plus an additional 40 million accounts for those who used ‘View As’ over the last year. In addition, the ‘View As’ feature itself has been disabled.
It isn’t clear, what – if any – information was exposed by the attackers, but Zuckerberg said in a call with journalists that the attackers did try to access developer APIs, which were locked down Thursday evening.
While it may seem like the company released information too soon, considering what little is known, they did so out of a sense of transparency – even if such an act was technically forced due to the three-day rule under GDPR (they have to inform regulators).
Under GDPR, Facebook has to tell regulators about the incident within three days unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”
In a somewhat related note, it isn’t clear if Friday’s disclosure is related to the claim made by a Taiwanese hacker, who said he discovered a bug that would allow him to delete Mark Zuckerberg’s account on the platform. The hacker, Chang Chi-yuan, was set to live stream his efforts on Sunday, but those plans were canceled after Bloomberg reported on them. He has since reported his findings to Facebook.
Salted Hash will continue to follow this story as it develops.