All though it is not yet clear the complete impact of the compromise and who is behind it, facebook has suffered one of its biggest compromises in years. An attack that could allow attackers to have unauthorized access to the victims account and data on facebook. The attack is related to 3 vulnerabilities that were introduced to the facebook's platform since July 2018.
Facebook introduced three vulnerabilities into its video uploader feature according to Guy Rosen, Facebook’s vice president of product management. When using the “View As” feature to view a profile, the video uploader feature would generate an access token using the person who's profile page was being viewed. The attacker then can obtain the access token and log into facebook as the person's profile being viewed.
An Access Token is a credential that can be used to authenticate a user to an application (the API in this case). Its purpose is to inform the API that the requester has been previously authenticated and authorized to access the application. Most sites and apps online today use this method. Online applications keep you logged in without you having to enter your credentials every time you access the application and its data.
The facebook token does not store your password — but it is recommended to change your password as we do not know the full extend of the compromise as of yet.
Facebook says at least 50 million users data has been compromised since July 2018.
Recommendations
- Reduce the amount of data and information your upload to social networks to reduce the impact on your personal life and your business in future compromises
- Change your password across all online accounts that your have used this password on
- Sign out of all online services integrated with your facebook unlink and relink with facebook
- Enable Multi-factor authentication on facebook and all other online services that you use that offer this feature
0 Comments