Facebook hack gets worse as company admits Instagram and other apps were exposed too

Anyone with access to a person's Facebook account could make their way through rest of people's digital life too, security researchers warn

Andrew Griffin
Saturday 29 September 2018 09:12
Comments
Facebook Hack: 50 million people's acounts exposed by major mistake in social network's code, company admits

The Facebook hack is even worse than was at first clear, the company has admitted.

The site had already admitted that a hole in its code would allow people to gain access to any account, in a problem that affected some 50 million users.

But it later said that the problem would also affect its "Facebook Login" service, which allows other apps to use people's Facebook account to login.

That means that once a hacker had access to a person's Facebook account, they could make their way through the rest of their digital life. That might include other Facebook apps like Instagram but also third-party ones that use the login service, such as Tinder.

"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves," said Guy Rosen, Facebook's vice president of product management, who disclosed the vulnerability in a blog post on Friday.

The latest hack involved bugs in Facebook's "View As" feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as "access tokens," from the accounts of people whose profiles were searched for using the "View As" feature. The attack then moved along from one user's Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages, said Mr Rosen. But it wasn't until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, he said

The nature of the hack means that there is little users can do to protect themselves. Facebook says it has already fixed the flaw by logging everyone out of their accounts and suspending the "view as" feature.

“There is no evidence that people have to take action such as changing their passwords or deleting their profiles," said a spokesperson for the National Cyber Security Centre.

“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in