Facebook hack gets worse as company admits Instagram and other apps were exposed too

Anyone with access to a person's Facebook account could make their way through rest of people's digital life too, security researchers warn

Andrew Griffin
Saturday 29 September 2018 09:12 BST
Facebook Hack: 50 million people's acounts exposed by major mistake in social network's code, company admits

The Facebook hack is even worse than was at first clear, the company has admitted.

The site had already admitted that a hole in its code would allow people to gain access to any account, in a problem that affected some 50 million users.

But it later said that the problem would also affect its "Facebook Login" service, which allows other apps to use people's Facebook account to login.

That means that once a hacker had access to a person's Facebook account, they could make their way through the rest of their digital life. That might include other Facebook apps like Instagram but also third-party ones that use the login service, such as Tinder.

"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves," said Guy Rosen, Facebook's vice president of product management, who disclosed the vulnerability in a blog post on Friday.

The latest hack involved bugs in Facebook's "View As" feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as "access tokens," from the accounts of people whose profiles were searched for using the "View As" feature. The attack then moved along from one user's Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages, said Mr Rosen. But it wasn't until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, he said

The nature of the hack means that there is little users can do to protect themselves. Facebook says it has already fixed the flaw by logging everyone out of their accounts and suspending the "view as" feature.

“There is no evidence that people have to take action such as changing their passwords or deleting their profiles," said a spokesperson for the National Cyber Security Centre.

“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in