Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.
In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.
The company said it was just beginning its investigation, and that it doesn’t yet know some basic facts about the incident, such as whether these accounts were misused, if any private information was accessed, or who might be responsible for these attacks.
Although Facebook didn’t mention this in their post, one other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user. Tens of thousands of Web sites let users log in using nothing more than their Facebook profile credentials. If users have previously logged in at third-party sites using their Facebook profile, there’s a good chance the attackers could have had access to those third-party sites as well.
I have asked for clarification from Facebook on this point and will update this post when and if I receive a response. However, I would have expected Facebook to mention this as a mitigating factor if authorized logins at third-party sites were not impacted.
Update: 4:46 p.m. ET: A Facebook spokesperson confirmed that while it was technically possible that an attacker could have abused this bug to target third-party apps and sites that use Facebook logins, the company doesn’t have any evidence so far that this has happened.
“We have invalidated data access for third-party apps for the affected individuals,” the spokesperson said, referring to the 90 million account that were forcibly logged out today and presented with a notification about the incident at the top of their feed.
Facebook says there is no need for users to reset their passwords as a result of this breach, although that is certainly an option.
More importantly, it’s a good idea for all Facebook users to review their login activity. This page should let you view which devices are logged in to your account and approximately where in the world those devices are at the moment. That page also has an option to force a simultaneous logout of all devices connected to your account.
Meanwhile, a security researcher who has previously reported vulnerabilities to Facebook has taken credit for finding this bug, and briefly threatened to delete Facebook CEO Mark Zuckerberg’s Facebook account this weekend in a live video stream allegedly planned for this weekend, according to The Verge. The story notes that the researcher ultimately called off the event.