Facebook has learned of a security vulnerability that has opened up millions of its users to account theft over the past year, though the company notes it is still investigating any impact the exploit has had to date.
While the exploit wasn’t related to Facebook’s game platform itself, the issue potentially affects 50 million Facebook accounts, making it an issue developers using the platform should be well aware of.
The issue itself is detailed in a blog post shared by Facebook and has since been fixed and reported to law enforcement. While the cause for the vulnerability seems to, by Facebook’s reports, be the result of several different small issues in the platform’s code, the core issue itself involved the “view as” feature that is intended to let a user see what information they’re showing other Facebook users.
However, an issue with “View As” instead let attackers take access tokens from Facebook accounts and allow them to hijack those accounts themselves by using the tokens to log in as an exploited user.
Facebook says that it has now reset the access tokens of the nearly 50 million accounts it knows to be affected, and has reset the access tokens for an additional 40 million accounts that aren’t known victims but had “View As” activity in the past year. Any affected users will have to log back into Facebook, both on the site and any third-party apps or locations using Facebook login, and have been sent a notice about the issue.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” reports Facebook. “We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”