Facebook: Hackers accessed 50 Mio. Access Tokens

[German]Facebook has just admitted a vulnerability within it's network. Hackers probably was able to stole access tokens and abuse 50 million accounts. Possibly more accounts are affected, Facebook has reset 90 million accounts. In addition, a White Hat hacker on Sunday wanted to delete Mark Zuckerberg's Facebook account. It is unclear whether the announced hack to Mark Zuckerberg's account is related to this. Here is what is known so far.


Hacker wanted to delete Sunday Zuck's Facebook account

I don't know if it has anything to do with this story. But since a few hours I know (see here) that Taiwanese hacker Chang Chi-yuan has hacked Facebook. He had announced that he wanted to delete Mark Zuckerberg's Facebook account next Sunday. Should take place as a live broadcast. 

ZUCC'D or $7'D

Chang Chi-yuan is a self-proclaimed white hat hacker who appears in the LINE Security Bug Bounty program. After the whole thing got a lot of international attention, Chang Chi-yuan has backed down in this post.


If I read the above screenshot correctly, there was a contact between the hacker and Facebook confirming his reported issue. 


Facebook confirms a vulnerability

There is a vulnerability at Facebook. In a security nofication, Guy Rosen, VP of Product Management at Facebook, disclosed a security problem at Facebook. Here's the admission:

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security.

Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.

This is catastrophic for a social network like Facebook. The accounts of any Facebook user could be hacked if they had used a certain function.

Measures implemented

The Facebook manager then lists the measures that have been taken.   

  • The first step was to close the vulnerability and inform law enforcement. 
  • Facebook has temporarily disabled the "View As" feature while a thorough security check is being conducted. 
  • Then the access tokens of the nearly 50 million accounts that were definitely affected were reset. 
  • As a precaution, the access tokens for another 40 million accounts, which were subjected to a "View As" display last year, were reset for security reasons.

As a result, around 90 million people now have to log back into Facebook or one of their apps using Facebook login. After logging back in, people at the top of their news feed receive a notification explaining what happened.

The vulnerability explained

Facebook explains in the security notifcation that this attack exploited the complex interaction of several problems in the Facebook code. The vulnerability was caused by a change to the video upload feature in July 2017. This has affected "View As". Not only did the attackers have to find and use this vulnerability to obtain an access token, they had to move from that account to other accounts to steal more tokens.

Facebook is currently investigating the hack. So they have yet to determine whether these [hacked] accounts have been abused or what information has been accessed. Further details may be read within Facebook's blog post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *