I was slightly concerned yesterday morning when I saw that I had to manually log in to Facebook. I normally keep my browsers set to automatically log me in, so any situation where I would need to log back in would be cause for some kind of alarm. I figured maybe someone got ticked by something I said and reported it which, long story short, if the report has action taken against it you have to log in again and be presented with the news that what you posted was reported and found against the terms of service.
That wasn’t the case – I logged in to find no alerts or anything. It was a short while later though I saw the news that there was apparently another security breach involving Facebook.
Here we go again.
This one is an interesting one though, involving the View As feature of the site, which let you view your page as someone random or as a specific friend. Apparently this feature had a bug present since mid 2017 which would, under the right conditions, allow someone to use the “access token” of another user – in the most simple terms I can phrase it, you could use Facebook as the other person actively, posting content as them and taking actions as them rather than as your own account. Apparently this all originated from a flaw with a birthday greeting video feature which Facebook added in around the same time – using View As would allow someone to post a birthday greeting as the person they were viewing the page as, which would allow them to secure the access token of that user and continue using Facebook as them, or so my understanding of it goes.
As being described in the tech press it’s quite a complex thing to explain, but the basic idea is simple enough, and pretty messed up. As a response, Facebook reset the access token of users suspected to have been a part of the possible breach as well as that of pretty much anyone who had used View As – me being among the latter but hopefully not the former. View As in and of itself is, or was, quite a useful tool for privacy but as things stand currently it’s been disabled while Facebook works to solve this issue.
The more damaging part of this is that other services which use Facebook as part of the sign in system may also have been compromised since this same access token works as the authentification for those sites and services. While Facebook is certain that a breach did happen with regards to their service proper, they don’t know for sure as of yet if a breach with 3rd party services using Facebook as a login method had occurred or not.
I can’t begin to cover this fully myself – all I can do is write about it as I understand it. Below are a few links regarding this issue – they can explain it better than I can in some ways.
This hasn’t been the best year for Facebook, to say the least.
https://www.wired.com/story/facebook-security-breach-50-million-accounts/
https://www.wired.com/story/facebook-security-breach-third-party-sites/?mbid=social_twitter