Skip to main content

Facebook security issue affecting 50 million people would have let hackers login to your account

By

Facebook this morning disclosed a widespread security flaw that could have allowed hackers or other malicious third parties to access an affected users account by gleaning their security token. The flaw affected as many as 50 million people, and Facebook says it’s forcibly making around 90 million users log back into their accounts in full today to be safe. It also says its fixed the issue and alerted law enforcement, indicating this may not have been an accidental engineering mistake, but a purposeful exploit discovered and potentially used by some third party organization or hacker.

The company says its engineering team was made aware of the issue on September 25th, but Guy Rosen, Facebook’s vice president of product management, says it’s not clear whether accounts were compromised or who might have been behind any malicious activity related to the security issue.

The flaw could have let someone exploit the “View As” feature, which lets you view your own profile as it appears to another user or to the public, as a way of evaluating your specific sharing settings. However, it appears that the feature inadvertently exposed Facebook security tokens when someone selected a profile as the desired View As target. That would let someone gain access to the person’s account. Facebook access tokens are the digital keys that allow mobile users to log into their accounts without having to retype their passwords.

In addition to making 90 million users re-login today, Facebook said it’s also disabling the View As feature “while it conducts a thorough security review.” The company gives a bit of technical analysis as to how the exploit worked, but there’s still not a lot of concrete details here:

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

News of this security exploit comes just hours after a prominent Taiwan hacker by the name of Chang Chi-yuan pledged to delete Facebook CEO Mark Zuckerberg’s personal page on Sunday as a way to demonstrate either some type of security flaw in Facebook or perhaps Chi-yuan’s proficiency as a hacker, or both. It is not clear at all whether the issue affecting Facebook’s View As feature is the one Chi-yuan intended to exploit. But the timing is uncanny.

Also a pressing concern for Facebook is the absence of a chief security officer, after former CSO Alex Stamos left the company last month. Following Stamos’ departure, Facebook said it would not be filling the CSO role and would instead restructure its security organization and embed specialists through its many divisions. A Facebook spokesperson said at the time that the company would “continue to evaluate what kind of structure works best” to protect users’ security.



from The Verge - Teches https://ift.tt/2OloEfH
Labels:

Comments

Post a Comment

Popular posts from this blog

Magic Leap is shipping across (most of) the US

By
As Magic Leap holds the first developer conference for its Magic Leap One mixed reality headset, that headset has started shipping across the contiguous United States, instead of in a set of select markets. The Magic Leap One Creator Edition costs $2,295, just like before, but there’s now an installment plan that starts at $96 per month. All orders are supposed to arrive within 60 days. The Magic Leap One Creator Edition went on sale in early August, and while Magic Leap has touted it as a fully functional device, it’s basically meant for people who want to design apps, games, or art for mixed reality. We were ambivalent toward the hardware, which we found limited, and we noted that Magic Leap hadn’t shown off a lot of material that showcased its potential. The company’s developer conference keynote has revealed several new projects. Among other things, Spider-Man studio Insomniac Games is building an experience that will let you grow a holographic creature on your tabletop, and...
Post a Comment
Read more

The company behind the adorably doomed robot Kuri is shutting down

By
Less than a month after Mayfield Robotics said it was stopping production on its Kuri home robot, the company announced today on its blog that the company will be shutting down. Mayfield Robotics launched in 2015 as part of Bosch’s Startup Platform, but struggled to integrate with and find a business fit within Bosch. Since the cancellation of its Kuri robot, Mayfield Robotics had been looking for external partners for long-term technology development, but was unable to find investment to support its future. The company will cease all operations by October 31st. We first met Kuri at CES 2017, and it wasn’t yet able to showcase all the features it was promised to have in the future. The robot was supposed to have smart assistant functionalities like an Amazon Echo, but with a much cuter face and movable body. Promo videos showed it working as a moving home security camera that was controllable through the Kuri app, but in the demonstration we saw, it only had as much functionality a...
Post a Comment
Read more

Amazon’s plans for a New York office are under new scrutiny

By
A month ago, when Amazon announced that it would build regional offices in New York and Virginia at great expense to the taxpayers there, I wrote that it had misunderstood the moment : Perhaps the furor over Amazon’s regional offices will blow over. But it’s hard not to feel today as if the company misread the room — overestimating the public’s appetite for a billion-dollar giveaway to one of the world’s biggest companies, and underestimating the public’s ability to raise hell on- and offline. Amazon may yet feel that pain, in the long run. Today, Amazon met the room: 150 protesters who showed up to the first New York City Council hearing about the plan. According to reports from the scene, demonstrators’ concerns start with the $3 billion in incentives that New York plans to give Amazon in exchange for locating there — and, it says, creating 25,000 jobs. Here’s Leticia Miranda in BuzzFeed : ”You’re worth a trillion dollars,” New York City Council Speaker Corey Johnson told the ...
Post a Comment
Read more