Facebook says hackers could access some apps

One security expert says the hacking attack on FB is serious, but only Facebook knows how serious.

Update: 2018-09-29 03:51 GMT
Facebook shares fell for a third day, dropping 1.9 per cent to $159.33. (Representational image)

Facebook says a hack affecting 50 million users could also have given attackers access to other apps.

Facebook’s vice president of product, Guy Rosen, says that attackers with access to a Facebook user’s account could also have accessed other apps if they had logged into them using their Facebook username and password.

A feature called Facebook Login allows people to use their Facebook credentials to sign into certain other apps and services.

Rosen wouldn’t say if there was any evidence that attackers misused access to those third party accounts. He says it could have affected apps tied to someone’s Facebook account, including Facebook’s own Instagram app — although not its WhatsApp messaging service.

He says affected users will now have to manually re-link those third party apps to their Facebook accounts.

Facebook says its automated systems incorrectly marked two news articles, one from The Associated Press and one from The Guardian, as spam on Friday. The articles were both about a security breach that compromised 50 million Facebook accounts.

Facebook briefly did not allow users to post the stories, although similar articles from The New York Times and others were postable.

“We fixed the issue as soon as we were made aware of it,” Facebook says in a statement. “We apologize for the inconvenience.”

Facebook uses a wide array of automated systems and human reviewers to flag questionable postings.

Facebook briefly blocked people from posting articles by The Associated Press and The Guardian about its security breach, announced Friday, which affected 50 million accounts. When users tried to post the articles, a notice popped up saying the article had triggered a filter for likely spam.

“Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam,” the notice said. “Please try a different post.”

Similar articles by The New York Times and other outlets were not blocked.

Facebook did not respond to a request for comment.

Facebook says it doesn’t know whether hackers had specific targets in exploiting security vulnerabilities to access some 50 million user accounts.

Facebook executive Guy Rosen says the attack seems broad. He says Facebook doesn’t know who’s behind the attacks or where they’re based.

The company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Rosen says the bug somehow allowed a video uploader to appear for sending happy birthday messages. Another bug then created a log-in key that made Facebook think the hacker had legitimately signed in with the account being viewed.

Facebook says the investigation is continuing.

One security expert says the hacking attack on Facebook is serious — but only Facebook knows how serious.

Jake Williams, the president of Rendition Infosec, says the log-in keys that hackers got on some 50 million user accounts would likely allow hackers to view private information and post on other people’s behalf. He says access could also extend to other Facebook apps, such as Messenger.

He says the bigger concern is whether this could affect third-party applications since so many people let other sites log them in with their Facebook credentials.

But he says the log-in keys, called access tokens, wouldn’t let hackers get the users’ actual passwords. Facebook is saying there’s no need for users to reset passwords.

Facebook disclosed the breach Friday.

Facebook is saying the security breach affecting 50 million user accounts required some sophistication.

Facebook executive Guy Rosen says hackers exploited three distinct bugs to access the accounts. He says hackers needed to not only steal log-in keys but know how to use them.

Facebook says hackers got those keys, called access tokens, through Facebook’s “View As” feature, which lets people see what their profiles look like to someone else. These tokens keep people logged in so they don’t have to re-enter passwords each time.

The company says it started investigating when it noticed increased user access to the service nearly two weeks ago. Facebook says the FBI has been notified in the U.S., as have Irish data protection officials for the European Union.

Facebook CEO Mark Zuckerberg says the company doesn’t know yet whether hackers who had exploited a security vulnerability have misused any of the user account information.

He says there’s no evidence yet that hackers used the vulnerability to see other people’s private messages or posts or to post on those accounts. But Facebook says the investigation is continuing.

Facebook says it recently discovered a security breach affecting nearly 50 million user accounts.

In a blog post, the company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Facebook says it has taken steps to fix the security problem and alerted law enforcement.

Facebook says it recently discovered a security breach affecting nearly 50 million user accounts.

In a blog post, the company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Facebook says it has taken steps to fix the security problem and alerted law enforcement.

To deal with the issue, Facebook reset some logins, so 90 million people have been logged out and will have to log in again. That includes anyone who has been subject to a “View As” lookup in the past year.

Facebook says it doesn’t know who’s behind the attacks or where they’re based.

The hack is the latest security headache for Facebook, which has been dealing with political disinformation campaigns from Russia and elsewhere since 2016.

Tags:    

Similar News