Exploit vulnerability in Facebook ‘View As’ feature affects 50 million accounts

Facebook, one of the world’s largest social networking platform on Friday admitted to a security collapse. It reported a minor vulnerability in the site exposed personal information of 50 Million Facebook users. The attackers exploited a vulnerability that disclosed Facebook access tokens for people’s accounts in HTML when the networking site rendered a component of the “View As” feature. This allowed attackers to get access to user accounts and potentially take control of them.

Facebook security

Security breach through Facebook ‘View As’ feature

View As is a privacy feature that lets Facebook users check how their own profile would appear to others. It’s a view-only interface. However, for one type of composer that allows you post content to Facebook, specifically the one that enables people to wish their friends ‘happy birthday’, incorrectly provided the opportunity to the attackers.

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security, wrote Guy Rosen, VP of Product Management.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else, he further added.

The second bug discovered by security researchers was related to the new version of the video uploaded introduced in July 2017. It inadvertently generated an access token that granted permissions of the Facebook mobile app.

The third and final bug was noticed when the video uploader appeared as part of ‘View As’. It unknowingly generated the access token for the user that an individual was looking up.

To prevent any untoward incident, the officials had taken a precautionary step by resetting access tokens for another 40 million users. Also, the ‘View As’ feature has been temporarily disabled. Facebook, if you are aware, is already facing scrutiny over how it handles the private information of its users. The new development has only added to their worries, furthermore.

Posted by with Tags
The author Hemant Saxena is a post-graduate in technology and has an immense interest in following Microsoft and other technology developments around the world. Quiet by nature, he is an avid Lacrosse player.