About a week ago Facebook reset logins for millions of customers in an effort to mitigate its most recent data breach. This data breach may have exposed almost 50 million accounts. The data breach was possible due to three bugs in Facebooks code. The three bugs were introduced upon the release of Facebook’s new video uploader in July of 2017. Zuckerburg stated a week ago that the attack made use of the “View as” feature.
The first bug of the attack originated from the “View as” function. This bug was that the video uploader was present when using the “View as” function, which was not the expected behavior. The second bug of this attack came from the fact that when activating the video uploader, a single sign-on token was created. The third bug included in this attack was that the single sign-on token created used the identity of the individual that user that was viewing the page as instead of the user. Guy Rosen, Facebook’s vice president of product management, stated “We saw this attack being used at a fairly large scale,” and “The attackers could get an access token, pivot to other accounts, and look up other users to get further access tokens.”
This vulnerability allowed attackers to essentially generate single sign-on tokens for users and use these tokens to access websites and applications that use Facebooks single sign-on API. Since this vulnerability has been made public, Facebook contacted the FBI, patched these three bugs and disabled the “View as” feature. As of right now, Facebook has not indicated that a specific group of users was targeted in this attack.