Updated Facebook confessed today that buggy code potentially exposed all of its users' accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million.
In a security note posted Friday morning, the social media giant's VP of product management Guy Rosen said the biz uncovered a security hole earlier this week that allowed scumbags to snatch tens of millions of people's account access tokens.
These tokens were used to log into the associated Facebook accounts without knowing their passwords, letting crooks download victims' private information, photos, and videos.
The stolen tokens could also be used to log into apps and websites that were connected to each of the hacked Facebook accounts. Those apps and sites could then be ransacked by the cyber-attackers. It would be trivial: use the a stolen token to log into someone's Facebook profile, then log into sites and apps linked to that account.
In effect, every single Facebook user account was wide open to being hacked, although the Silicon Valley goliath estimated that "only" 50 million accounts were, in the words of a spokesperson, "directly affected." A further 40 million had their accounts "looked up." It has patched the hole, and logged out 90 million users to invalidate their access tokens. Facebook staff said it appears no posts were made on users' behalf by the hackers, and that no credit card information was taken. "We will update you as we know more," a representative told us.
The security hole was available through the "View As" option – where users can check how others might see their profile, allowing folks to make sure that their private stuff is private and public posts are visible. The biz's engineers discovered that hackers had found a hole that allowed hackers "to steal Facebook access tokens which they could then use to take over people’s accounts."
"This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017," the social network said in a statement.
On a press conference held Friday morning in the valley, a Facebook representative went into greater details. The hole was the result of three different bugs: the first caused a video upload feature to appear on certain posts when it shouldn't have; the second caused that uploader to generate an access token; and the third, critically, caused the access token that was generated to be for the person that someone was looking up, rather than the actual user. That meant a third party was able to potentially directly access any user's account.
Facebook spotted the hole after it noted a suspicious "spike" in user activity on Tuesday. The attack was "fairly large scale," it admitted, and when it investigated the cause, it discovered hackers were using the site's API to automate the process of grabbing users' profile information.
As Zuck apologizes again... Facebook admits 'most' of its 2bn+ users may have had public profiles slurped by botsREAD MORE
Facebook said it went to law enforcement the next day, patched the hole soon after, and logged out all accounts that accessed the "View As" option since July 2017.
"We are constantly improving our security and this underscores the fact that there are constant attacks," said CEO Mark Zuckerberg. "We need to keep focusing on this over time."
This comes after a hacker in Taiwan threatened to live-stream over the internet on Sunday him hacking into Zuckerberg's Facebook account. He U-turned, and canceled the web video spectacle within hours of today's admission by Facebook.
Earlier this week, it emerged Facebook was using people's cellphone numbers, provided for two-factor authentication, to target them with adverts, even though the numbers were only provided for security reasons rather than ads. ®
Updated to add
Following an afternoon press conference, it emerged that Zuckerberg and chief operating officer Sheryl Sandberg's Facebook accounts were among those hacked. Also, it was confirmed it was possible to use the swiped access tokens to log into connected apps and websites that used Facebook to authenticate the hacked users... oops!