September 28, 2018

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.

In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.

The company said it was just beginning its investigation, and that it doesn’t yet know some basic facts about the incident, such as whether these accounts were misused, if any private information was accessed, or who might be responsible for these attacks.

Although Facebook didn’t mention this in their post, one other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user. Tens of thousands of Web sites let users log in using nothing more than their Facebook profile credentials. If users have previously logged in at third-party sites using their Facebook profile, there’s a good chance the attackers could have had access to those third-party sites as well.

I have asked for clarification from Facebook on this point and will update this post when and if I receive a response. However, I would have expected Facebook to mention this as a mitigating factor if authorized logins at third-party sites were not impacted.

Update: 4:46 p.m. ET: A Facebook spokesperson confirmed that while it was technically possible that an attacker could have abused this bug to target third-party apps and sites that use Facebook logins, the company doesn’t have any evidence so far that this has happened.

“We have invalidated data access for third-party apps for the affected individuals,” the spokesperson said, referring to the 90 million accounts that were forcibly logged out today and presented with a notification about the incident at the top of their feed.

Original story:
Facebook says there is no need for users to reset their passwords as a result of this breach, although that is certainly an option.

More importantly, it’s a good idea for all Facebook users to review their login activity. This page should let you view which devices are logged in to your account and approximately where in the world those devices are at the moment. That page also has an option to force a simultaneous logout of all devices connected to your account.


61 thoughts on “Facebook Security Bug Affects 90M Users

      1. BrianKrebs Post author

        Thanks for your comment, but maybe next time when your comment isn’t posted instantaneously don’t submit it 20x more?

        1. Empire State

          Sorry, I had a brain fart and forgot that you gotta approve them. Im so sorry. lol

  1. The Sunshine State

    People need to quit using Facebook once and for all

    This whole site is total B.S. anyway

      1. Sirius

        It’s easy to say but there are so many people around the world for whom Facebook IS the Internet. The social and sometimes economic tie in to this website is deeply ingrained and “delete facebook” is not a reasonable action.

        1. The Sunshine State

          It’s like that in a third world country like India,

        2. InternetOldtimer

          Those are exactly the people whom the Internet was not meant for.

          The same dolts who consider Facebook is ‘the internet’ in 2018 are the same as those who considered AOL the internet in 1998.

          Normies get off my stream – REEEEEEEEEEEEE

          1. Bett

            Well you’re about as helpful as a bee in a nudist colony.

            Not to mention racist and rather self-inflated.

            1. Jeremia

              Why not? So Ass-knives like yourself can dominate the comments section. This is the internet, it was developed by DARPA. AOL WAS virtually the most prolific during the transition between military application(why Al Gore’s name is attached to the internet). It is sad that you’re insulting another human being and you are so wrong. Apparently, you’re in need of your own advice. Everyone can learn more. Nobody has to do everything if we all do something, and that is showing respect until proven unworthy. If one cannot invest in learning about the ways they have been wrong, how will one ever truly be right?

    1. Paul

      but we all want know what you had for dinner and which brand of cigars you’re smoking whilst listening to your Abba CD?

  2. Bill

    This has been going on for a long time, Facebook says a year but I believe it is longer. I had my ID stolen too, along with about 10-15 other people that I know of personally. A year to fix this? Really Facebook? After all the denials that there was an issue when contacted by affected users. Ridiculous.

    1. JimV

      When the principal objective function of a company is to monetize the value of users’ activity and personal information, security is rather automatically placed in the rear seat.

      1. John Bacon

        This statement does not add up.

        When the principal objective function of a company is to monetize the value of users’ activity and personal information, security is MORE important – and Facebook (despite their faults) has invested a lot in security.

        When a platform like Facebook is not secure and suffer security breaches, congressional hearings happen.

        Additionally, Facebook wants (like all services) their users to trust their site.

        Again – I’m not sure your statement is logical.

  3. Dennis

    I have a perfect solution to this, Brian. I deleted my Facebook a while back. No facebook, no worries. Awful site. IMHO Facebook should join Adobe Flash in its infamy.

    1. Povl H. Pedersen

      Deleting facebook is NOT the answer. Better have it and not use it I think.
      There are many websites that completely trusts in Facebook. Including e-commerce sites, allowing you to use FB / Google OpenID to sign in, and then accept that is a valid login to the e-mail account on the 3rd party webpage.

      So want to get access to john.doe’s account at say whatever.com, then get a facebook where the e-mail address is John Doe.

  4. Jeffrey C

    Working in the cyber realm, I shudder every time I see the option to login with FB. I understand the convenience this allows for users so they don’t need to memorize passwords but a good password manager can fix that. Relying on a single sign on can work, but this shows a great example of how one exploit can cause more trouble for the users. FB has a huge attack surface due to the number of people using it to make it very target rich. This probably just gives more people to leave FB.

    1. Bruce Hobbs

      I feel the same about Microsoft SSO. I shudder every time I sign on to Outlook behind a corporate firewall only to watch my computer go to a public Microsoft site to verify my credentials.

      1. John

        It’s a tradeoff. I’d rather use SSO than have someone with no understanding of security best practices storing my login info.

  5. Autumn

    As far as I know, I wasn’t affected by the breach, but I am unable to start new Facebook posts, as are several of my friends who, like me, have the Apps platform disabled. Looks as if Facebook broke something while it was fixing the vulnerability.

    “User opted out of platform
    The action attempted is disallowed, because the user has opted out of Facebook platform.”

    1. Katin Thehat

      I just started seeing the same error on my desktop today, while accessing the Facebook site & trying to upload new pictures.

    2. dnfree

      Same for me. And I have no intention of changing my existing setting to enable apps, websites, etc. I can’t find any other instructions to allow me to do what I could do just yesterday, which is copy and paste a link to an article.

    3. Cheryl

      I have also encountered this issue tonight. After reading about the breach, I took the opportunity to change my password (unfortunately twice as my passkeeper didn’t store it the first change!). Once I logged back in and attempted to post a photo, the same msg appeared. I am able to reply to posts, as well as upload photos

    4. NW

      Same here. I can still post by clicking the “close” button in the error message but the post won’t fetch previews of any links I include, nor can I go back and edit any existing posts due to getting the same error message. I opted out of 3rd party app platform because of the security breach by Cambridge Analytica a few months back and had no problems copying/pasting directly to my newsfeed until today, after this new security breach was announced. In the past few days leading up to today’s announcement of this most recent security breach, my FB account was being inundated with new friend requests — over 100 in one day alone — and now I wonder if all these unsolicited friend requests came from hijacked profiles.

    5. FliXs

      That sounds like the oAuth connection was invalidated. Facebook didn’t break anything, they just killed your persistent connection to prevent an attacker from doing things on these third party apps you had connected. You will need to create a new one.

  6. Steve

    This is a great example of why it’s a bad idea to ever use credentials for Facebook, LinkedIn, etc. to log in to any third-party site.

  7. Rob

    Facebook should not be ANYBODY’s internet gatekeeper. Delete Facebook, Delete Instagram, Delete WhatsApp. There are plenty of safer alternatives.

  8. DG99

    This is just one of many reasons why I do not and never will use Facebook, Twitter, Instagram, et al. Facebook is one of the 4 most dangerous companies in the global business space with an App that puts every user at risk every day. They simply do not know what they are doing.

  9. hate facebook

    I wish fakebook would allow quick easy one button delete of accounts. Id leave now. they make it difficult to quit with that two week waiting period.

    1. JF

      It may be difficult to leave completely.
      Just deactivate your account – easy.

      1. JF

        … and if you want to briefly enter Facebook again, you can login and deactivate again afterwards…

  10. Alex Robu

    Take over people’s account is one thing, but that also means take over business accounts(fb pages) .

    Interesting that the FB newsroom security update post got 24K likes. What is there to like?

  11. Ashley

    I was a victim of this today. I keep close tabs on apps I have connected to my FB account. I only have three, so when a fourth popped up today I immediately knew it wasn’t legit. It was named “WWW VIDEO UPLOAD RESUMABLE” I immediately blocked the app, reported it to fb security and removed it from my account. Turned two factor auth on again for both my FB and Instagram accounts. Whatever, another day another hack.

    1. MB

      I’ve found the same app, which i couln’t delete, weird isn’t it?

      1. Jack

        I believe “WWW VIDEO UPLOAD RESUMABLE” has something to do with the immediate panic and patch of the bug by Facebook, as I keep an eye on apps in my account and it turned up at a similar time to the announcement of the breach.

  12. Tex

    Can someone answer me this please –

    I was logged out of FB this morning Australian time. However, from what I’m reading, anybody who used View As to look at their own profiles got swept up too? As I used this feature a couple of months ago, it is therefore likely my acceess token was never actually stolen?

    Any clarity on this would be appreciated.

    1. Readership1

      Tokens are created anew for each session and do expire. Sign out of all other sites, change your FB password, then you should be fine.

      For third party sites, avoid using FB as your identifying credential, in the future. This way, a vulnerability on FB’s site won’t compromise all those other ones.

        1. Readership1

          I overlooked your incorrect use of question marks. The least you could do is show gratitude.

  13. David Union

    I’ve been complaining for 4 days to FB that it’s taking 4 or 5 seconds to key in each character when posting. They’ve ignored me but as I use FB only occasionally, I’m not bothered.
    But could the delays have been caused by their hacking problem?

  14. jstackpo

    I set out to delete my Facebook account… the “Help” page said to start by clicking on a (black on blue – real readable!) gear-wheel icon “at the top right of any Facebook page”. But the icon isn’t on any page I looked at. Am I a prisoner forever?

  15. John IL

    Best thing to do is abandon Facebook before it gets even worse. I stopped using Facebook as sign in for web sites awhile ago. I also block any attempt to do so. In the end these so called easy sign in options seem to get attacked a lot. More convinced then ever that I should just delete my Facebook profile.

  16. Bett

    Thanks, this article is helpful.

    My main question is whether the baddies can use the tokens to continue to log into third party sites regardless of actions taken by facebook.

    I assume (but please correct me if I’m wrong) that if this is the case the sites themselves could also log all users out and thus stop the bad guys entirely.)

    People have been laughing at me for years for never logging into any other site with facebook, and for not trusting anything facebook or google or any other similar Internet giant does. While tempted to be all “told you so” about it, I’d rather just help people reduce the impact of this ridiculous situation.

    1. BrianKrebs Post author

      Not according to FB. They say they’ve invalidated the access tokens, so they should no longer be useable for that purpose. However, this bug has existed since July 2017, so it’s possible it could have been abused for more than a year.

  17. Monopoly

    Facebook has perfect website and everyrhing is good

    But why all this fighting ? Facebook earn money with advertisement and everything is good for them.

    Can they keep their website just plain and simple the idea is people can connect with each other… i think thats the great thing. Why so much negativity is related with facebook?
    Its great website the fb messenger is great app all my friends are on fb i use it and i think its good , if you been long time away or you travel different country you might change your phone number … but then you have fb you can contact with all your contacts over fb so easy.

    Facebook neeed to eliminate all this nagativiry..like political nonsense and other nonsense, facebook is just for people to connect with each other and share videos photos ideas.

    I think fb is one of the greatest website, you Mark fix this thing remove all this negative bs.
    We need facebook we the people need fb until there is no replacement for the fb then its good.

    Thank you !

  18. Mr. Phelps

    I stopped using Facebook awhile ago and only use it when necessary.
    Now is a good time to enable 2FA for facebook (I did) if you have an account and have not done so.

    Getting someone’s token would allow you to bypass 2FA but that’s still no excuse for not using 2FA.

  19. Mike Gale

    Coupla points about Facebook:

    1. They have robotic customer service and help, even where humans are involved, you need to live with that. Trying to contact them is a waste of time.
    2. Some people comunicate mainly via Facebook. Some even hardly use email any more. You may want to stay in touch with them.
    3. I wouldn’t trust the FB delete account option. If you want to nuke your account I suggest deleting your activity item by item, I suspect that may give you genuine deletion.
    4. Your content on FB is not necessarily your own. This breach shows that others may interfere. FB itself also interferes, for example compare downloaded images through there “backup account” options, over time. These images change. You’ll find images that they have expanded in size by a large factor, say 5 times. Technically that means 80% of the image was invented by Facebook and is not yours.
    5. Facebook has a demon that sits looking at your posts before and during submission. It appears to be able to automatically suspend your account. It looks for naughty words and pictures among other things. I call it Beelzebub.

    1. Readership1

      Re: point 2, why would you want to continue to associate with a person who primarily uses Facebook for communication?

      That’s like staying friends with idiots who use use MySpace or whatsapp or Snapchat or Instagram. Those kind of people are losers.

  20. LD

    Facebook has just been hacked and the extent of the damage is still under investigation, however there are FB users (after the fact) complaining that they are having trouble uploading a photo or linking to an article. Business as usual – really?

    As of now it is ludicrous to assume that the tech folks at FB have total knowledge of everything that the hackers messed with. They could have done a lot more. Also as the identity of the hackers is still unknown, we can not really ascertain their motive. I doubt it was just mischief.

    Zuckerberg said on Friday. “We need to be more proactive.’’

    Leaders are proactive. A ship of fools comes to mind.

  21. Hav0c

    Using Facebook (or other services offering SSO) could actually increases end user authentication if done correctly.

    Good passwords are hard to generate and harder to remember.

    SSO offerings like Facebook offer the option to remember 1 good password that grants access at multiple sites.

    Since many of these sites have personal data and potentially financial data or ability to password reset those sites, they should also be secured by 2 factor authentication, preferably using an authentication app instead of SMS. Facebook supports 2FA hard and soft tokens – USE IT.

    EFF has some good resources on 2FA – https://www.eff.org/deeplinks/2016/12/12-days-2fa-how-enable-two-factor-authentication-your-online-accounts

    As to FB’s security, they own some very large, very complex real estate in the cyber world and I am sure detect and block an enormous amount of attacks regularly while adding complex new feature sets. This is a single loss and we are going to pile on that? I would say they are doing a great job considering their size and complexity.

    SSO also allows FB to know where you are going and how long you stay their (CASB light). So it is in their interest to be able to track additional data.

    Lastly – Use STRONG passwords that are NOT dictionary based. I say this as Hashcat will churn through pretty big passwords comprised of multiple smaller concatenated dictionary words. – check out – https://www.4armed.com/blog/hashcat-combinator-attack/

    1. Readership1

      You’re right about the technical aspects, namely that it’s better to have one really strong authentication to a SSO, such as FB, especially that they have an option for 2fA that beats out many other logins.

      But where I think it’s wrong is that the average user won’t routinely sign out of FB when they put down their phone or walk away from their computer. The average person won’t revoke FB’s access to login at other sites they no longer wish to use. And the average person won’t use 2fA.

      And most people are average.

      So what’s left is the ubiquitous access to dozens, maybe scores, of the most popular websites in the web2.0 ecosystem, through a FB SSO that rarely expires.

      Putting all one’s eggs in one basket is always unwise.

      For a thief, this makes it very attractive to steal a mobile device as it’s being used, because it’s likely the victim never signed out of FB. And that means access to dozens, maybe scores, of websites, including Venmo and Facebook Messenger’s payments system.

      Think of all the mayhem that would result when the victim’s friends receive requests for money.

      The average person is a fool. And that’s why SSO through FB is a bad idea.

  22. Don Guiou

    The statment re additional exposure of tokens via third-partiy partners, ‘the company doesn’t have any evidence so far that this has happened’ is very disconcerting.

    The onus is now on the account holder to determine if this has happened. FB exposed this confidential info through negligence, but as expected assumes no responsibility for it.

  23. TW

    My Spotify account, which is linked to Facebook for authentication, was hacked a few months ago.

    I forcibly logged out all devices in Spotify, changed my Facebook password (even though I didn’t believe it could have been guessed) and Spotify was hacked again the next day… Spotify Tech support were good at helping to restore normality after that.

    I’d wondered since how the hacker managed it – I’d assumed it was some Spotify security flaw, but this seems to be a likely culprit.

    1. Rick Jones

      That sounds more like they compromised your credentials from some other breach and they are using username/password resets to continue accessing your account. My advice is change your email address credentials. Also, check haveibeenpwned.com and see if you email is listed.

  24. Amanda Hull

    I’ve been locked out of my FB account for like a month. Due to possible phishing … I’ve done everything… I mean everything I can do to get back in. All the Security questions… identifying myfriends, my comments, I’ve tried emailing, . calling and Leaving messages, i’m about to drive to seattle and try and get someone to talk to me. If it were just the social aspect of facebook I’d not even care. But all The pictures of My dad that died almosta year ago and my best friend thatdied 2 years ago are on there and I don’t have them saved anywhere else.(I know I’m stupid) on top of that I’m a Ecommerce business owner. I sell clothes, shoes,& vintage jewelry and One of my main sources of selling is FB… This lock out has killed my Sales… it’s affecting My ability feed my family.

Comments are closed.