Another massive controversy has befallen Facebook today, with 50 million users' accounts potentially being impacted by a data breach.
Guy Rosen, Facebook's Vice President of Product Management, posted a security update on the company's newsroom. This update details that Facebook has reset access tokens for 90 million accounts, 50 million of which are known to have been impacted.
In an update to the newsroom post, Rosen also detailed that there are three separate flaws that hackers utilized in order to compromise this user data. The vulnerabilities are listed as follows:
First: View As is a privacy feature that lets people see what their own profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.
Second: A new version of our video uploader (the interface that would be presented as a result of the first bug), introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.
Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.
When used together, the three exploits above enabled hackers to generate access tokens and log in as other users. Rosen states that Facebook's development team has "fixed the vulnerability."
Though Facebook itself covers this hack via that newsroom post (which is being regularly updated as of the time of this writing), it had briefly blocked news sites from coverage according to reporting by Matt Binder at Mashable.