Security leaks affecting 50 million users on Facebook are discovered, users' access tokens are stolen

We report that Facebook discovered a security leak that will affect about 50 million people on September 25, 2018 (Tuesday). According to Facebook, although investigations on security leakage are in the early stages, it is clear that attackers have exploited the vulnerability of "View As" function and stolen the user's access token.

Security Update | Facebook
Newsroom https://newsroom.fb.com/news/2018/09/security-update/

According to Facebook report, an attacker exploited a vulnerability in which a user account's Facebook access token was published in HTML when rendering certain components of the "View As" feature, He confirmed that he stole the access token. The access token stolen by an attacker is a digital key to make it unnecessary for a user to log in to a service by entering a password every time a user uses a Facebook related service in an application or the like.

The "View As" function that caused the problem is a function to check how your profile looks to other users. Users can now use the "View As" function from "Confirm Profile" so that you can check how your profile is visible from other users at any time.

How can I see how my profile is displayed to other users? | Facebook Help Center | Facebook

The process that this "View As" function outputs the access token is as follows.

The "View As" function is a display-only interface, but he said that he had provided the function of mistakenly posting movies only for certain composers. And there was a bug that new versions of video uploaders introduced in July 2017 would incorrectly generate access tokens that have permission to access Facebook mobile apps. When the video uploader functions as part of the "View As" function, an access token which should not be originally generated has been output. Attacker noticed this vulnerability and succeeded in stealing 50 million access tokens.

by rawpixel

After security leaks are discovered, Facebook fixes vulnerabilities in exploited code and prevents further theft damage of access token. In addition, he revealed that he also reported to law enforcement agencies. In addition, about 50 million account tokens that were victimized are invalidated, and the access token is reset even for accounts of 40 million cases that became subject to the "View As" function in 2017, and the damage of unauthorized access It is said that it prevented the possibility of meeting. As a result, about 90 million people will be asked to log in again when using an application that needs to log in to Facebook or Facebook, and after logging in, a notification will be displayed explaining that a security leak has occurred It seems to be a thing.

Facebook then reveals that it has temporarily turned off the "View As" function that caused security leaks.

As Facebook is just beginning to investigate security leaks, we are still in a situation where it is not possible to judge whether the stolen account has been illegally used, the information was accessed or not, and so on. Also promised to reset the access token as soon as more accounts are affected in the future.

Since Facebook is an access token as stolen, it is not necessary to change the password.