Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
How 50 Million Facebook Users Were Hacked
#1
Quote:Facebook revealed more details about how hackers exploited three distinct bugs to get the ability to control up to 50 million users’ accounts.


On Friday, Facebook revealed that hackers broke into the company’s servers and potentially stole the data of up to 50 million people.

The social network forced 90 million people—around 50 million victims plus an additional 40 million that may have been affected, according to the company—to log out and log back in again. That’s because the hackers stole their “access tokens,” a sort of digital key that Facebook creates when you log in and allows you to stay logged in when the Facebook mobile app wants to open another part of Facebook inside a browser, for example (this might occur when you click a link.)


An access token doesn’t include a user’s password, but since it allows a user to stay logged in having an access token means you can completely control the account.

“Parts of our site use a mechanism called single sign-on that creates a new access token,” Guy Rosen, Facebook’s vice president of product management, told reporters on a press call. “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”

The hackers took advantage of three distinct vulnerabilities chained together in order to steal the tokens, Rosen said.

The vulnerabilities have existed since at least July 2017 and were related to Facebook’s “View As” tool, which allows you to view your own profile as if you were someone else (this is a privacy feature—it allows, for example, you to check whether your ex, or grandma, or anyone who you want to hide things from can see certain posts on your page.)



If you haven’t used the feature before, it can be hard to visualize or imagine. Basically, let’s say you wanted to hide some wall posts from your nemesis John. You can change your Facebook privacy settings to allow John to only see certain posts. Then, to check that the changes to your privacy settings actually worked, you can use the View As feature to look at your profile as if you were John. You’re not actually John, of course, and you don’t have access to his account—it’s just a simulation. But these chains of bugs would have allowed you, if you were a hacker, to acquire John’s access token, and then log into his account using that token, therefore taking full control of his account.

“It’s important to say: the attackers could use the account as if they were the account holder,” Rosen said.

The first bug, Rosen explained, caused a video uploader to show up on View As pages “on certain kinds of posts encouraging people to post happy birthday greetings.” Normally, the video uploader should not have showed up. The second bug caused this video uploader to generate an access token that had permission to log into the Facebook mobile app, which is not how this feature “is intended to be used,” according to Rosen.

The final bug, Rosen explained, was that when the video uploader showed up as part of the View As feature, it generated a new access token not for the user, but for the person who they were pretending to be—essentially giving the person using the View As feature the keys to access the account of the person they were simulating. In the example we gave above, this would not only have allowed you to look at John’s profile using the View As John feature, but it also would have generated an access token allowing you to login to and take over John’s account.

“It was the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers,” Rosen said. “Those attackers, in order to run the attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot that access token to other accounts and then look up other users in order to get further access tokens.”

Read the full article here:


Source
Reply
#2
My sister's account got logged out from all her devices as well. This is bizarre. I try to run a chrome VPN extension while I browse Facebook or use a VPN for iPad that has to use powerful encryption protocols to reduce the chances of such hacks though they are not eliminated entirely.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Facebook makes key Instagram security tool Pysa available to users dhruv2193 1 1,720 11-25-2023 , 09:16 AM
Last Post: Patrick77
  Over 10 Million Facebook Users Hacked in Ongoing Phishing Scam mrtrout 2 1,013 05-29-2023 , 03:41 PM
Last Post: Kai Brooks
  Hacker group claims to steal 3 million users’ data from Israeli hiking websites mrtrout 0 998 01-22-2022 , 11:03 PM
Last Post: mrtrout
  533 million Facebook users' phone numbers and personal data have been leaked online SALAMA Youssef 0 1,344 04-04-2021 , 09:47 PM
Last Post: SALAMA Youssef
  ‘ZEE5’ Has Leaked the Data of Nine Million Users but Didn’t Disclose It Bjyda 0 995 03-05-2021 , 12:33 AM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)