This is one of the most serious security flaws that has affected Facebook in recent years. The social network announced its discovery today, but this is a process that has run since last Tuesday when it was identified by its security team.
The problem focuses on the “View as” functionality, which allows the user to view their profile as an external element or with any other profile within the social network. Attackers were able to exploit a vulnerability and gained access to the security tokens for this feature.
With these tokens the attackers were able to access user accounts and gain access to all the data they had stored, whether public or private.
The crash has since been fixed last Thursday, with Facebook turning off the “See as” feature until the investigation of this issue is terminated and new security testing can be performed.
Another measure taken, which affects the 50 million potential users affected and 40 million who used the “See as” function, is the revocation of security tokens, which will force these users to re-authenticate themselves on Facebook.
The failure originated in an update that Facebook conducted in July 2017 on one of the components of its video service, in particular the upload functionality of these videos.
According to Facebook, this crash does not require users to perform the usual keyword change of their account by simply revoking the security tokens that Facebook has already performed today.
It is too early for Facebook and the authorities to understand the extent of this failure and the amount of data that may have been stolen from users’ accounts.
With increasingly frequent problems and at various levels, users of the largest Internet social network begin to question their permanence and the data they place within this service.