On 28 September 2018, Facebook announced that close to 50 million of its users were affected by a security flaw that allowed attackers to use the "View As" feature to hijack full access to user accounts. This was as a result of the hackers were able to steal Facebook access tokens which were then able to use to take over peopleโ€™s accounts.

It turns out, as Brian Krebs reports, the same method can be used to access and log in to 3rd party apps that use the "Log in with Facebook" feature.

"Although Facebook didnโ€™t mention this in their post, one other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user. Tens of thousands of Web sites let users log in using nothing more than their Facebook profile credentials. If users have previously logged in at third-party sites using their Facebook profile, thereโ€™s a good chance the attackers could have had access to those third-party sites as well," wrote Krebs.

It became noticeably obvious that after the Facebook security incident, the use of VPNs has grown dramatically especially for mobile devices. There is reason behind it. Using a VPN secures your device from any cyber crimes that could possibly occur.

How Facebook access tokens work

A Facebook access token, specifically a User Access Token, is obtained when one logs in to Facebook. This then grants, typically, the app using the token permission to read and write a Facebook user's data or perform actions on their behalf.

How a Facebook User Access Token is generated. Facebook

Krebs writes that a Facebook spokesperson confirmed to him that "while it was technically possible that an attacker could have abused this bug to target third-party apps and sites that use Facebook logins, the company doesnโ€™t have any evidence so far that this has happened."

Also interesting is that Facebook wrote in their initial statement that almost 50 million user accounts were affected by this security flaw. However, the social media platform is reported to have forcibly logged out 90 million user accounts that are suspected of being affected by the flaw.

Instagram hack

earlier in 2018, thousands of people reported that their Instagram accounts were hacked as photos were deleted and they couldn't log back into them. although Facebook owns Instagram, the two platforms, to our knowledge, run on two different technical infrastructures. However, given the odd nature of the Instagram hack and how widespread (but eequally limited) it was, a question worth asking is whether this was as a result of the same or similar security flaw being exploited.

The possibility that it was the same security flaw that Facebook only announced a few days ago arises as many users who have both a Facebook and an Instagram account typically either link them or use the "Log in with Facebook" feature to access their Instagram accounts.

At the time of publishing, Facebook could neither comment on this nor confirm the list of countries of the hacked users.

"It's still early days and we're working hard to better understand these details. We don't know the location of all affected people. We also do not know if this was targeted to people from one particular country." said a Facebook spokesperson in response to iAfrikan's questions on whether any of Facebook's Afrikan based users were affected.

Share this via: