Facebook says no evidence third party apps accessed using compromised accounts.
Facebook says that in the wake of a major security breach it revealed last week it has analysed its logs and found no evidence that the ‘Facebook Login’ service has been exploited.
Facebook late last week announced that some 50 million accounts were affected by an attack that leveraged a vulnerability in the social network’s ‘View As’ feature. The company said that it had reset the access tokens for 90 million Facebook accounts: 50 million whose access tokens were stolen by the attackers and, as a precaution, 40 million accounts that had been subject to a ‘View As’ look-up in the previous 12 months.
Facebook vice-president of product management Guy Rosen said the company had analysed its logs for all third-party apps installed or logged in during the attack and unearthed no evidence that Facebook Login had been exploited by the attackers.
The Facebook executive said that developers that used the official Facebook SDKs, and those that regularly check access token status, would have been protected by the access token reset.
“However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out,” Rosen said in a statement.
Facebook has not provided a geographic breakdown of which accounts were affected by the security breach, but the Australian Cyber Security Centre (ACSC) has warned people to be alert to possible phishing attempts.
“Australians should keep a look out for any unusual activity from friends or family on their Facebook accounts,” ACSC head Alastair MacGibbon said.
Facebook’s vice-president for engineering, security and privacy, Pedro Canahuati, last week revealed details of the View As vulnerability, which was a result of the interaction of three separate bugs.
View As allows a Facebook user to see how their profile appears to another individual. The feature should provide a read-only interface, Canahuati wrote, but in one circumstance it offered the opportunity to use the ‘composer’ (the box that allows people to post content) to post a video.
A version of Facebook’s video uploader rolled out in July 2017 incorrectly generated access tokens: When it was shown during a ‘View As’ lookup, the access token generated was not that of the account using the feature but for the user being looked up, Canahuati said.