Got logged out of Facebook? Well, your account was breached
On Friday, millions of user started getting abruptly logged out of Facebook. Some, including myself, even got logged out of Messenger. While getting logged out would not be alarming normally, Facebook, in this instance, has said that the incident happened as a side effect of its efforts to plug a security breach that affected as many 50 million users! Here are the details.
Details of the security flaw
In a blog post on Friday, Facebook said that the vulnerability had been discovered by Facebook's engineering team on September 25. Exploiting a vulnerability in Facebook's 'View As' feature, the attackers were able to steal access tokens that allowed them to take over people's accounts. Consequently, Facebook reset the access tokens of the 50 million affected accounts, and another 40 million accounts.
The vulnerability was unintentionally created in July 2017
Facebook also said that the vulnerability had been created in July 2017 when a new video upload functionality was launched. After discovering anomalies, Facebook launched a probe on September 16, and discovered the vulnerability on September 25. The social media giant claims that the vulnerability was fixed on September 27, following which it began resetting access tokens, thereby resulting in users getting logged out.
Why did it take Facebook so long to detect it?
The vulnerability resulted from the combination of three bugs affecting access tokens in Facebook accounts. When the social media giant was asked as to why it took so long to find the bug, Facebook's VP of Product Management, Guy Rosen, said that despite conducting code reviews using static analysis tools, the "complex interaction of bugs that led to this vulnerability" wasn't detected.
While passwords weren't stolen, the damage could still be considerable
Facebook confirmed that because the attackers took over people's accounts via 'access tokens', which are digital keys that keep you logged in, passwords were not stolen. However, it's not known for how long hackers exploited the vulnerability. The extent of damage isn't known either- hackers could have stolen profile data (like the Cambridge Analytica scandal), as well as personal data like messages, photos, etc.
So what can you do about the breach?
While there's nothing for you to do now, Saket Modi, CEO & Co-Founder of security firm Lucideus, believes that users should, as a precautionary measure, log out and re-log in to their Facebook accounts on all their gadgets.