An unusually high traffic to the site warned Facebook technicians that something could go wrong. After an investigation into this increased activity they discovered a huge security breach on the larger social network.
Facebook confirmed this (loose) earlier today, in a press release. The company reported that hackers managed to steal tokens from about 50 millions of users.
Access tokens are alphanumeric codes that are created when a user is logged in and stored simultaneously in the user's browser and Facebook servers. They are used to allow users to access Facebook without having to log on to each visit. Access token or access token is controlled by Facebook servers.
Facebook said earlier that today hackers were able to gain access tokens for 50 million users, taking advantage of a vulnerability in "View As", a feature in every Facebook user's profile that lets you see what your account looks like from another user. .
According to Facebook technicians, the social network made a change in the code in July 2017 to the "View as" feature. The exploit took place for the first time on September 16. September 16 is the day Facebook believes that hackers began to exploit this flaw en masse to gain access to the "View As" feature and gain access tokens for the company's users.
The access token collection feature has caused massive traffic on Facebook servers. Beyond the traffic, Facebook engineers realized what was happening on September 26. They began to investigate 27 in September, and they announced their findings this morning.
Facebook made a phone call with journalists this morning and answered general questions. Nathaniel Gleicher, head of security policy and Guy Rosen, reported that the View As vulnerability was actually a combination of three bugs.
"The vulnerability we fixed was the result of three separate bugs and was notified in July 2017"
"The first mistake was when you used the View As product, the video uploader should not appear at all, but in a very specific case, in posts that encouraged people to wish Happy Birthday, it appeared.
Now, the second error was that this video uploader misused SSO to create an access token that gave rights to the Facebook mobile app. This was not, of course, the way SSO was intended to be used.
The third problem was that when the video uploader had previously appeared as View As, something that did not, except in the case of the first bug, then create access, which again should not be granted. The second error created the access ID not for you as a viewer, but for some other user.
"This is the combination of these three errors that created a vulnerability," Rosen said. "This vulnerability was discovered by hackers and they used it to obtain access IDs. Then, each time they had an access ID, they used it and received more tokens from the user's friends who had accessed his account.
Of course after all the above you should not wait. Sign in to your account and check Security and sign in. The page will show you all the devices connected to your account, as well as their geographic location. Disconnect whatever you do not know and change the password as well.