Geek's Advice

Failure to secure “View As” feature results in Facebook vulnerability affecting millions

Facebook security breach occurred due to insecure “View As” feature. According to experts, the bug gave fraudsters a chance to take control over users’ accounts, including the one that belongs to Mark Zuckerberg, the CEO of social media giant. Guy Rosen, the VP of Product Management at Facebook, disclosed the Facebook security breach “affecting 50 million accounts” in an official statement which was published on September 28th, 2018. The social media giant immediately fixed the issue and informed the law enforcement.

The statement informs that the investigation regarding the security breach is still in progress. However, it is now clear that the method hackers used to gain control of victim’s accounts is related to Facebook’s “View As” feature, allowing users to view their profiles as someone else. It turns out that the feature gave hackers a chance to steal so-called FB access tokens, later used to access victim’s accounts illegally. According to Pedro Canahuati, the Vice President of Security and Privacy at Facebook, claims that vulnerability “was the result” of three bugs listed below.

Three bugs creating the vulnerability

• The “View As” feature was meant to be a view-only interface. It turns out that one type of composer (particularly the one that allows posting a happy birthday wish) – “View As” made it possible to post a video.
• The latest version of video uploader was was presented in July 2017. It appears that it faulty generated access token that held the permissions for the mobile version of the Facebook app.
• The faulty video uploader appeared in “View As” mode, generating an access token for the person you want to view your profile as, not for yourself as a viewer.

The access token was available in the HTML code of the page, easily accessible for the attackers. If you are unaware of what access tokens are, these help to keep people logged into the social media platform. Consequently, you do not need to re-login over and over again on a daily basis.

Facebook issues new access tokens for 90 million accounts

Facebook has already reset the access tokens for the said 50 million accounts. Additionally, these were reset for extra 40 million that wasn’t affected by the Facebook security breach. As a result, around 90 million people will be asked to re-login into their accounts the next time they will launch the Facebook app. Besides, a notification informing of what has happened will appear on top of the news feed.

The “View As” feature which contained the vulnerability in its code will be temporarily turned off for now. The social media giant’s programmers are currently investigating the code and making sure it fits top quality and security standards.

It is still unclear who is behind the attack

Facebook is in the middle of the investigation to find out how the compromised accounts were affected. The aim is to discover whether the hackers sought to misuse them or to dig for private information. At the moment, it is unclear who are these hackers and what country they originate from. Facebook apologized for the failure to spot the vulnerability before fraudsters did. In addition, it promised to keep resetting access tokens for any vulnerable accounts when discovered. You can read the official statement about the Facebook Security Breach in FB News Room. If you want to learn more about securing your account and learn to identify scams and viruses on the social media platform, consider reading our insights on Facebook viruses.

It is unknown whether this has anything to do with a website bug bounty hunter known as Chang Chi-yuan. On Sunday, the guy from Taiwan published a statement saying that he is going to live-stream hacking M. Zuckerberg’s account. However, later that day, he called off his plans, explaining that he didn’t expect his intentions to go viral. It is not clear yet whether he planned to use the vulnerability in “View As” mode or not.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.