[ad_1]
By Sam Dean, Los Angeles Times
Nearly 50 million Facebook accounts have been affected by a security breach that has allowed hackers to take control of user accounts, the social media giant said Friday.
The new flaw comes as Facebook strives to convince its more than 2 billion users to be able to trust. He is grappling with the repercussions of the revelation that the British consulting firm Cambridge Analytica has collected the personal data of 87 million users, as well as the revelation that he involuntarily hosted a massive Russian disinformation campaign during the 2016 US elections.
The new vulnerability was discovered Tuesday afternoon and has been corrected, said Facebook.
"The attackers exploited a vulnerability of the code of Facebook that had an impact on" View As ", a feature that allows users to see what their own profile looks like," said the company Friday in an online message. "It allowed them to steal Facebook access tokens" – giving hackers full access to user profiles, as if hackers were these users.
"This is a very serious security issue, and we take it very seriously," said Mark Zuckerberg, CEO of Facebook. "We must be more proactive in defending our community."
No passwords or credit card data were stolen, said Guy Rosen, vice president of product management for Facebook. He made it clear that it was unclear whether attackers had accessed private messages or publications and had posted them from hacked accounts.
Access tokens allow users to stay connected to the social network, eliminating the need to reconnect each time they open the app, visit the website, or use third-party services based on their Facebook credentials.
Facebook said to have reset the tokens of all concerned users and, as a precautionary measure, 40 million additional users having used the feature View as the year since the introduction of the vulnerability . The current reset disconnected them. They will have to reconnect at the next use of the service.
The company said it was at the beginning of its investigation into the matter and reported the offense to the FBI and Irish law enforcement. At this point, Rosen said, the company did not determine who orchestrated the attack, its origin or its targeting on a particular subsection of Facebook users.
Facebook discovered the attack after detecting an unusual jump in user activity on Sept. 16, and its investigation revealed the nature of Tuesday's attack, Rosen said. He said that Facebook had warned the security forces and had begun to fix the vulnerabilities to end Friday morning.
Rosen said the attackers had exploited a vulnerability in Facebook's code that took advantage of three separate bugs introduced more than a year ago, when engineers updated the video upload feature in July 2017.
The first bug caused the uploader to download an access token – which is strange, but is not a major risk because users had to be logged in to use the video loader.
The second bug is where the birthdays come into the picture. The View As feature allows users to view their profile pages as if they were someone else, to determine if their privacy settings were to their liking. Typically, the video downloader does not appear in View As mode, but because of the second bug, the video downloader appears when the currently playing page contains Facebook notifications inviting the user to send messages. to friends.
The third bug turned these minor errors into a major security issue. If a user posted their own profile page as if they were a particular Facebook friend, such as a former roommate, and the video downloader appeared on the page, the downloader would spit an access token no ex-roommate. This token offered full access to the ex-roommate's Facebook account.
Once the hackers have been able to access an account, they can repeat the process with the friends of that account again and again.
On the basis of speed and scale, Rosen said the attack probably involved some degree of automation.
—
© 2018 Los Angeles Times
Visit the Los Angeles Times on www.latimes.com
Distributed by Tribune Content Agency, LLC.
Related
[ad_2]
Source link