Attack on Facebook has exposed around 50 million users. Facebook assures security flaws has been fixed and affected accounts were all reset and secured.
The world’s biggest social networking platform on the internet was quoted in news report by BBC News about the attack.
BBC added that attack on Facebook was discovered on Tuesday (September 25).
“Users that had potentially been affected were prompted to re-login on Friday,” the British news heavyweight said.
It further cited the statement of the company’s vice president of product management, Guy Rosen, as saying the security flaw has been fixed for all the affected accounts, which were all reset .
He said the firm also reset another 40 million accounts “as a precautionary step.”
“The company has confirmed to reports that the breach would allow hackers to log in to other accounts that use Facebook’s system, of which there are many.
“This means other major sites, such as AirBnB and Tinder, may also be affected,” the BBC said.
Facebook was apologetic
“Since we’ve only started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.
“People’s privacy and security is incredibly important, and we’re sorry this happened,” said Rosen.
Facebook’s founder Mark Zuckerberg and COO Sheryl Sandberg were two of the 50 million accounts affected by the attack on Facebook, the company admitted. The company already informed the police.
The gateway for the hack attack was Facebook’s feature called “View As” which the hackers exploited for its vulnerability as they gained access to account.
What is “View As” then?
BBC explained that “View As” functions as privacy feature allowing people to see how their own profile appears to other users and makes it clear what information can be viewed by their friends, friends of friends, or the public.
The bugs in the feature allowed the hackers to steal Facebook access tokens, “which they could then use to take over people’s accounts,” said Rosen.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” the firm’s official said as cited by BBC.
In relation with this attack on Facebook incidents, two security experts of Synopsys (Software Integrity Group) offered some comments.
Software security, while difficult to keep, is not impossible, said Dr. Gary McGraw, vice president of Security Technology, Synopsys (Software Integrity System).
“Getting software security right is difficult, but not impossible. This breach emphasizes just how important software security is, and how subtle solid security engineering can be,” he said.
“When a feature like “View As’ can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability. Design flaws like this lurk in the mind boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built,” McGraw added.
Synopsys (Software Integrity Group) Technology Evangelist Tim Mackey pitched in another observation.
He focused on the “access tokens” and advised Facebooks users to review their App Settings.
”While it is early in the investigation, the Facebook network breach shows how important an incident response plan is. In this case, the incident response includes information surrounding access tokens. Because this issue impacted ‘access tokens’, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications. If you’ve ever used a Facebook login button on a website, now would be an excellent (time) for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook.”
(This Facebook user was one of those who were prompted to re-login on Friday. I received a message that I have to re-login; I thought at that time it was nothing unusual But I changed my password just the same.) (EKU)