[ad_1]
This morning, Facebook revealed a widespread security vulnerability that could have allowed hackers or other malicious third parties to gain access to an affected user's account by picking up their security token. The flaw has affected no less than 50 million people and Facebook explains that nearly 90 million users are forced to reconnect to their account today for security reasons. The company says it's because in addition to the impacted accounts, about 40 million more people have simply used exploitable functionality since the exploit operated from July 2017.
It also indicates that the problem has been solved and that the security forces have been alerted, indicating that it was not an engineering error, but that it was A deliberate exploit discovered and used by a third party organization or hacker. The company said its technical team had been made aware of the problem on September 25, but Guy Rosen, vice president of product management for Facebook, said it was unclear whether the accounts had been compromised, when the problem had been exploited or that could have been at the origin of the attack. .
"On Tuesday, we discovered that an attacker had exploited a technical vulnerability to steal access tokens allowing him to connect to about 50 million accounts of people on Facebook," said CEO Mark Zuckerberg on his personal Facebook page. "We do not know yet if these accounts were misused, but we continue to look after them and update them when we know more."
This flaw might have allowed someone to exploit the "View As" feature, which allows you to view your own profile as it appears to another user or user. to the public, to evaluate your specific sharing settings. However, it appears that the feature inadvertently exposed Facebook security tokens when someone has selected a profile as the target of view as desired. This would allow someone to have access to the person's account. Facebook access tokens are the digital keys that allow mobile users to log in to their accounts without having to re-enter their passwords.
With full access to a user's account, attackers could have used any third-party application connected via Facebook, the company said Friday.
In addition to ensuring that 90 million users reconnect today, Facebook also announced the deactivation of the View As feature "while conducting a thorough security review." t a lot of concrete details here:
This attack exploited the complex interaction of several problems in our code. This is due to a change to our video upload feature in July 2017 that impacted View As. Hackers had to not only find this vulnerability and use it to get an access token. others to steal more chips.
During a phone call to reporters following the announcement, Facebook said that the "video upload feature" in July of last year was linked to a tool allowing users to download birthday videos in a way that would allow the Show feature as to expose secure information. only when interacting with two other bugs. The company has also confirmed that no credit card information has been disclosed.
Facebook @guyro claims that the violation that affected 50 million users involved a vulnerability in a tool allowing users to download Happy Birthday videos
– Kevin Roose (@kevinroose) September 28, 2018
I asked Facebook how sophisticated hackers were and if it could be a national activity. Rosen said the attack was "complex" and took advantage of three multiple bugs interacting together. "We may never know" the identity of the hackers, Rosen adds.
– Dustin Volz (@dnvolz) September 28, 2018
The news of this feat for security comes just hours after a Taiwanese computer hacker known as Chang Chi-yuan is committed to removing Zuckerberg's personal page on Sunday, to demonstrate a flaw security in Facebook, Chang's skills as a hacker, or both. . It was not yet clear whether the problem affecting Facebook's View As feature was the one that Chang wanted to exploit, but the timing of it made one suspect a relationship.
Today, Facebook said in the conference call with reporters that the View As exploit had nothing to do with Chang's waterfall, which he planned to broadcast on Facebook Live. Later in the day, Chang gave up on his promise, writing on his personal page that he "reported the bug to Facebook and that I would show proof when I would have received a bonus".
A more pressing concern for Facebook is the absence of a security officer after the departure of former general manager Alex Stamos last month. After Stamos left, Facebook said it would not fulfill the role of CSO, but would restructure its security organization and include specialists in its many divisions. A spokesman for Facebook, said at the time that the company "would continue to evaluate what kind of structure works best" to protect the safety of users.
Following widespread media coverage of the exploit, Facebook users began to report that the social network was blocking news links regarding hacking. The Associated Press and The Guardian, leading more cynical critics of the company to assume that she deliberately suppressed negative information about herself on her own platform.
Facebook then confirmed to The edge that the stories were shared so frequently that they triggered the company's internal spam detection tools. "We solved the problem as soon as we learned about it and people should be able to share the two articles," the company said. "We apologize for the inconvenience."
Update 28/28, 18:22 ET. Added Facebook comment on blocking news links.
Updated 28/29, 5:22 pm ET: Added information of a second call with reporters.
Updated 9/28, 1:35 pm ET: Added information from Facebook's call to reporters this afternoon.
Update from 9/28, 16:41 ET: Added information about Facebook's internal spam detection tools that are spreading rapidly guardian and AP links, as well as an update on Chang Chi-yuan's return from his commitment to hack Zuckerberg's page.
[ad_2]
Source link