The largest social networking site, Facebook is the latest victim of a cyber-attack. On Friday, the networking giant announced that its team has discovered a security breach that has affected nearly 50 million users globally.
The vulnerability existed in the basic ‘View As’ feature which was often used to show how the account looks like to the public. The vulnerability in the code and a combination of three bugs allowed the hackers to penetrate the accounts.
“It looks like when Facebook built the ‘View As’ feature, they did this by making it a modification of how Facebook would work if actually viewed by that other user,” said professional web app hacker and cybersecurity researcher Thomas Shadwell to Forbes. “Which of course means if there’s a mistake they might end up sending the impersonated user’s credentials to the user of the ‘View As’ feature.”
The Forbes also report explained that “If a user, via View As, impersonated a friend who themselves had a friend who had a birthday, the feature would also show a box prompting them to post a “happy birthday” video. Thanks to an error made by Facebook in July 2017, the video provided the user with one of those precious tokens.”
As the immediate step, Facebook has turned off the feature and has reset 50 million affected accounts and nearly 40 million others to stay on the safer side. Ironically though, the actors behind the breach have not been identified, nor has the security team of the platform figured out if any of these accounts were misused.
Even more alarming being the fact that there are several hosting tutorials on YouTube on how to hijack a Facebook Account using similar methods used by the hackers in the incident. Many of those continue to exist on the video sharing platform.
Beau Woods, a cybersecurity fellow at the Atlantic Council, said in an interview with The Telegraph told that “it was likely the vulnerability had already been identified by other attackers in the fourteen months since it was introduced. I would say that the 50 million is maybe the tip of the iceberg. It’s not uncommon to have multiple adversaries over time, varying in sophistication, and it’s just the clumsiest one that alerts the palace guards.”
With GDPR in place, it is also reported that Facebook could be fined as much as $1.63 billion by European Union privacy watchdogs.
