Facebook Security Vulnerability Allowed Attackers to Steal User Access Tokens

Facebook alerted users today that its engineering team on Tuesday had discovered a security issue affecting almost 50 million accounts. From Facebook's official report posted this morning: "Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app."
"This is a really serious security issue, and we’re taking it very seriously," said Mark Zuckerberg told reporters. "We have a major security effort at the company that hardens all our surfaces and investigates issues like this. ... It definitely is an issue that this happened in the first place. This underscores the attacks that our platform and community face."
Impact on non-Facebook properties: "FB's press office is no doubt being flooded now, but a key unanswered question is whether this bug impacts non-facebook properties, since millions of site let people log in with their FB accounts.


Popular Posts