Last month, Facebook witnessed its largest security breach which compromised 50 million user accounts, which was later fixed by its investigation team to avoid further misuse. On Friday, 12th October, Guy Rosen, VP of Product Management in Facebook, shared details of the attack for the users to know the actual reason behind the attack.
Facebook discovered the issue on September 25th where the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The attackers exploited a series of interactions of three distinct software bugs, which affected the ‘View As’ feature that lets people see what their own profile looks like to someone else.
Attackers stole FB access tokens to take over people’s accounts. These tokens allow an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.
Read Also : Facebook’s largest security breach in its history leaves 50M user accounts compromised
Guy Rosen, in his update stated, “We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”
The attackers already had control over a set of accounts connected to Facebook users. They further used an automatic technique to move from one account to the other in order to steal the access tokens of those friends, friends of friends, and so on. This allowed them to reach about 400,000 users.
Guy writes, “this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations”.
The attackers used these 400,000 people’s lists of friends to further steal access tokens for about 30 million people. They broke down these 30 million into three batches; namely 15, 14 and 1 million, and carried out different accessing techniques for the first two batches. For the 1 million people, the attackers did not access any information.
Facebook will be sending customized messages to the 30 million affected people to explain to them the information the attacker might have accessed and how they can protect themselves from the after effects (getting suspicious calls, mails and messages).
Guy also clarified, “This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”
Meanwhile, Facebook is co-operating with FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to look for ways attackers used Facebook and other possibilities of smaller-scale attacks.
To know more about this in detail, visit Guy Rosen official blog post.
Facebook introduces two new AI-powered video calling devices “built with Privacy + Security in mind”
“Facebook is the new Cigarettes”, says Marc Benioff, Salesforce Co-CEO
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…