50 million Facebook accounts violated by chip-to-chip attack

Last night, Facebook reset connections for millions of customers because it was a data breach that would have exposed nearly 50 million accounts. The violation was caused by an exploit of three bugs in the Facebook code that were introduced with the addition of a new video download tool in July 2017. Facebook has fixed the vulnerabilities on Thursday and has canceled the access tokens for a total of 90 million users

In a press call today, Facebook CEO Mark Zuckerberg said the attack was aimed at the "point of view as" function, a code that allowed people to see what others saw when they viewed their profile, "Zuckerberg said. Attackers could use this feature, combined with the video download feature, to collect access tokens.

"The attackers have tried to interrogate our APIs, but we still do not know if any private information has been exposed," Zuckerberg said. Hackers have used the Profile Recovery API, which allows access to the information presented in a user's profile page, but nothing indicates for the moment that Facebook posts or other private data were consulted. According to Facebook, no credit card data or other information has been disclosed.

"It's the result of three separate bugs," said Guy Rosen, vice president of product management for Facebook. "The first bug was that when using the" view as "function, the video uploader should not appear at all." But for some types of publications on user deadlines, such as prompts to display anniversary greetings, the video download feature has been displayed as active. The second bug was that when it was enabled, the video downloader would generate a unique login token – a behavior that Rosen said was incorrect. And the third bug was that in creating this token, he was using the identity of the person under which the user was viewing the page, not the user.

"We saw this attack being used on a fairly large scale," said Rosen. "Attackers could get an access token, rotate to other accounts, and search for other users to get other access tokens."

Facebook contacted the FBI and other forces on Wednesday after identifying the nature of the attack. After disabling the "View as" feature and fixing the other bugs, Facebook's security then canceled the authorization of all the access tokens of the 50 million disregarded accounts. They also unauthorized the access tokens for another 40 million users who were accessed with the "View as" feature to ensure that no other account was compromised.

According to Zuckerberg and Rosen, the investigation is still in its infancy. They still could not tell if specific types of users were targeted. Zuckerberg pointed out that Facebook took the violation seriously and that the company was aggressive in pursuing the violation. The CEO promised more details as the investigation progressed.

Whatever the case may be, the breach could further damage Facebook's reputation, as the company continues to try to regain public trust after a recent series of security and privacy issues. In addition to revelations about the misuse of Facebook user data by Cambridge Analytica during the run-up to the 2016 US presidential election, one wonders how Facebook itself uses customer data, including the discovery that Facebook regularly collects complete call logs. and other data from certain mobile users. Earlier this week, Facebook acknowledged that it provides advertisers with phone numbers used for two-factor authentication to target users with advertisements. And Facebook's Onavo virtual private network application was removed from Apple's App Store in August because it was used by Facebook to collect data on the use of mobile applications from users.