The bad news for Facebook’s users just won’t end. Today Facebook had to admit that the accounts for 50 million people were somehow accessed by hackers abusing a little-known feature.
The “View As” feature gives you the ability to see what your profile looks like to somebody else—so you can check to see whether your privacy settings are being correctly applied, for example.
Hackers were able to abuse a security hole in this feature to steal access tokens to take over people’s accounts—basically, the login cookies that keep you logged in. This is not unlike the session hijacking attacks that were starting to be prevalent a number of years ago by people sniffing network traffic at hotspots. It’s one of the reasons you’d always want to use a VPN, and why the web has been switching to HTTPS. Except, in this case, the bug was in Facebook’s code so nothing could protect you.
The problem appeared to be in a video uploader for sending messages, which shouldn’t have shown on the View As page, but it did. Once that video uploader was opened, the bug would then essentially log the hacker in as the account that the profile was being viewed as. So they could then harvest everybody’s friends list, exploiting the bug to login as every single friend of a friend until 6 degrees of Kevin Bacon later, they had accessed 50 million accounts.
What You Need to Know
Update: We now know that it’s very likely other applications using Facebook login were affected, and hackers could have accessed stuff like Instagram, Tinder, Spotify, or any number of other things.
Details on this debacle are very thin at this point, but here are the things that we do know:
- 50 million accounts were accessed.
- Facebook logged out 90 million people to be safe.
- This bug was fixed.
- Taking over a session cookie will not let an attacker access your password.
- We don’t know anything about how much data they were able to access or whether it affects third-party apps that use Facebook logins.
- You’ll get a notice at the top of Facebook letting you know what happened.
- There’s really nothing else you can do at this point.
Facebook has completely disabled the View As feature while they investigate how it all happened, how much data was lost, and how they can solve the problem going forward.
This data breach, combined with the recent news that Facebook is collecting shadow profiles and using your email address to target ads, is going to ramp up calls for GDPR-style regulation over these internet giants. As well it should.