Skip to main content

Facebook security issue affecting 50 million people would have let hackers login to your account

By

Facebook this morning disclosed a widespread security flaw that could have allowed hackers or other malicious third parties to access an affected users account by gleaning their security token. The flaw affected as many as 50 million people, and Facebook says it’s forcibly making around 90 million users log back into their accounts in full today to be safe. It also says its fixed the issue and alerted law enforcement, indicating this may not have been an accidental engineering mistake, but a purposeful exploit discovered and potentially used by some third party organization or hacker.

The company says its engineering team was made aware of the issue on September 25th, but Guy Rosen, Facebook’s vice president of product management, says it’s not clear whether accounts were compromised or who might have been behind any malicious activity related to the security issue.

The flaw could have let someone exploit the “View As” feature, which lets you view your own profile as it appears to another user or to the public, as a way of evaluating your specific sharing settings. However, it appears that the feature inadvertently exposed Facebook security tokens when someone selected a profile as the desired View As target. That would let someone gain access to the person’s account. Facebook access tokens are the digital keys that allow mobile users to log into their accounts without having to retype their passwords.

In addition to making 90 million users re-login today, Facebook said it’s also disabling the View As feature “while it conducts a thorough security review.” The company gives a bit of technical analysis as to how the exploit worked, but there’s still not a lot of concrete details here:

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

News of this security exploit comes just hours after a prominent Taiwan hacker by the name of Chang Chi-yuan pledged to delete Facebook CEO Mark Zuckerberg’s personal page on Sunday as a way to demonstrate either some type of security flaw in Facebook or perhaps Chi-yuan’s proficiency as a hacker, or both. It is not clear at all whether the issue affecting Facebook’s View As feature is the one Chi-yuan intended to exploit. But the timing is uncanny.

Also a pressing concern for Facebook is the absence of a chief security officer, after former CSO Alex Stamos left the company last month. Following Stamos’ departure, Facebook said it would not be filling the CSO role and would instead restructure its security organization and embed specialists through its many divisions. A Facebook spokesperson said at the time that the company would “continue to evaluate what kind of structure works best” to protect users’ security.



from The Verge - Teches https://ift.tt/2OloEfH
Labels:

Comments

Post a Comment

Popular posts from this blog

How to install Fortnite on Android

By
Epic Games launched its battle royale hit Fortnite on Android devices last week with a big catch: it was exclusive to Samsung-made phones for a few days as a way to help market the new Samsung Galaxy Note 9. Now, the exclusivity period appears to be over, and beta invite codes are going out to select users of non-Samsung phones like the Google Pixel 2 XL. If you’re itching to dive off the battle bus on mobile, you might have to hold on just a little while longer: there appears to be a waiting list, just like there was when the game launched on iOS. There’s also a bit of trickiness involving exactly how you get the app because Epic announced it would be distributing the Android version of Fortnite on its own terms . Last week, the app was distributed through Samsung’s app store, and Epic is using its own website and a Fortnite Installer program to distribute the game more widely on all compatible Android devices. (Epic CEO Tim Sweeney said this is basically to avoid paying Google...
Post a Comment
Read more

Apple’s Siri Shortcuts app now available for iOS 12

By
Apple is making Siri a lot more powerful in both iOS 12 and watchOS 5. Siri’s new Shortcuts feature is now available to download for iOS 12 users, and it allows iPhone and Apple Watch users to use Siri to step through multistep routines. Shortcuts replaces the previous Workflow app that Apple acquired last year, and is designed to allow you to create custom commands in Siri that launch apps or combine a number of actions in a similar way to IFTTT. You can do things like tell Siri you’re “watching a movie” and the digital assistant will switch your phone to do not disturb. A number of app developers are also launching their own custom Siri shortcuts with iOS 12, which will help the assistant display more information when you create a custom phrase. Citymapper is one of the first big apps with Siri shortcuts support, allowing you to create a shortcut to ask “when’s my next train” and get relevant updates and even platform information. You can download Siri Shortcuts from the App Sto...
Post a Comment
Read more