On Sept. 28, Facebook announced via its blog that it discovered attackers exploited a vulnerability in its code that impacted its "View As" feature. While Guy Rosen, VP of product management, notes that the investigation is still in its early stages, the breach is expected to have affected 50 million accounts. It is unclear at this stage whether these accounts were misused or if any personal information has been accessed.
According to Rosen’s post, attackers were able to steal Facebook access tokens – digital keys that allow users to stay logged in whether or not they’re actively using the application – which could then be used to take over user accounts. The breach is reportedly a result of multiple issues within Facebook's code, stemming from changes made to the social media platform’s video-uploading feature in July of last year that impacted the “View As” feature.
Veracode’s Chris Wysopal assumes that the attack was automated in order to collect the access tokens, given that attackers needed to both find this particular vulnerability to get an access token, and then pivot from that account to others in order to steal additional tokens.
In reviewing the available details, Veracode’s Chris Eng suggests that an educated guess could lead to the conclusion that having two-factor authentication enabled on the account may not have protected users. Given that the vulnerability was exploited through the access token as opposed to the standard authentication workflow, it is unlikely second-factor verification would have been triggered.
Facebook reportedly fixed the vulnerability and informed law enforcement of the breach and is temporarily turning off the "View As" feature while they undergo security checks. Additionally, the company has reset the access tokens to the affected accounts and is taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.