Today, Facebook disclosed a security vulnerability that affected 50 million people on the social media network and allowed malicious third parties to potentially access the affected users account.
In a blog post, Facebook's Guy Rosen, VP of Product Management explained that the attackers exploited a vulnerability associated with Facebook's "View As" feature that allowed them to steal Facebook access tokens. These tokens could then be used to take over people's accounts.
"Our investigation is still in its early stages," stated Guy Rosen, VP of Product Management, for Facebook. "But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
When they discovered this vulnerability, Facebook fixed and then reset the security tokens for almost 50 million accounts, and to be safe, reset them for an additional 40 million other accounts. Finally they turned off the "View As" feature.
"Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security," the announcement continued "We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."
According to Facebook, this attack stemmed from a change they made in July 2017 to their video uploading feature.
As they have just started their investigation, it is not known how many account, if any, were affected by this vulnerability. Facebook has stated they will provide more information when the investigation has been completed.
Update 9/28/18 3:42 PM EST: It appears that three vulnerabilities were chained together in a large scale attack to steal account tokens. More info from Motherboard.