On Tuesday, Sep 25, A huge security Breach on Facebook was discovered by the Facebook’s engineering team. It is mentioned in their official blog post, the massive security breach has compromised about 50 Million user accounts. Also mentioned, they took an serious and immediate action on this flaw.
The Bug is related to Facebook‘s “View As” feature which allows a user to view his/her profile as “How other peoples view their profile?“. By using this feature, the attackers gain the users token to access the account and control it. The access tokens are equivalent to their Facebook password and it will be stored in the App so that, they don’t need to log in every time they use the App.
The Facebook team already reset the tokens for those affected accounts. They also logged out every device they used. After those users were logged in, those peoples will get a notification at the top of their News Feed explaining what happened. Because of this security breach, Facebook team temporarily disabled the “View As” feature as well.
According to this blog post, Mark Zuckerberg, CEO of Facebook, his own account also compromised in this security breach. He also posted a long Facebook Post as follows:
This blog post clearly mentioned that the bug was occurred due to the new video uploader introduced in July 2017. It is mentioned that “When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.”
In the meantime, the Facebook has already in a Data Breach called “Cambridge Analytica Data Scandal” this year.