Sometime during the day Friday, I noticed that I had been logged out of Facebook on my phone as well as the browser. It was certainly not routine, but it wasn’t something I was worried about. Now it seems the logging out was part of action taken by Facebook to plug a security flaw that had affected at least 50 million users.
In a blog post on September 28, Guy Rosen, Facebook’s VP of Product Management, said the flaw was discovered by the social network’s engineering team on September 25. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”
Meanwhile, Facebook founder and CEO Mark Zuckerberg said: “We face constant attacks from people who want to take over accounts or steal information around the world. While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
In a press call, Zuckerberg said “initial investigation” has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. “But this, of course, may change as we learn more. The attackers did try to query our APIs to access profile information fields — like name, gender, hometown, et cetera — but we do not yet know if any private information was accessed that way. We’re continuing to look into this and we will update when we learn more.”
Interestingly, just hours before, a Taiwanese hacker had claimed he would livestream an attempt to wipe out Mark Zuckerberg’s Facebook page this Sunday.
Clarifying that while Facebook’s investigations were still in its early stages, he said the attackers “exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else”. He said this vulnerability allowed “them to steal Facebook access tokens which they could then use to take over people’s accounts”. Access tokens are the digital keys that keep users logged in to an account, negating the need to enter their passwords every time.
Rosen claimed the vulnerability has been fixed and security agencies have been informed. He added that access tokens of the almost 50 million affected accounts, as well as another 40 million accounts, have been reset.
This is why over 90 million users, including yours truly, had to log back in to the Facebook app. Also, the ‘View As’ feature– which most Facebook users did not even know existed — has been temporarily disabled to allow a “thorough security review”.
Rosen said they had not yet determined if these accounts were misused or any information was accessed. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change,” he said in the post, adding that if more affected accounts were found, the access tokens will be immediately reset. Apologising for the breach, the Facebook VP said “there’s no need for anyone to change their passwords” at the moment.
As for my account, in the past 24 hours there has been at least one incident that I could not explain: someone waved to a friend on Instant Messenger from my account… it certainly wasn’t me.