UK HQ

MacSupportPlus

1 Chestnut Grove

St Neots

Cambs. PE19 2DW

+44 844 567 6915

Global HQ

Mac-Midi-Pyrenees

En Reynés

81470 Cuq Toulza

France

+33 5 63 70 93 62

MacSUPPORTplus

Home

0844 567 6915

Breaking News

Previous News

Just as the Mac has evolved so have the needs of the user: this is why we are now MacSUPPORTplus.

Facebook confessed today that buggy code potentially exposed all of its users' accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million.

In a security note posted Friday morning, the social media giant's VP of product management Guy Rosen said the biz uncovered a security hole earlier this week that allowed scumbags to snatch tens of millions of people's account access tokens.

These tokens were used to log into the associated Facebook accounts without knowing their passwords, letting crooks download victims' private information, photos, and videos.

The stolen tokens could also be used to log into apps and websites that were connected to each of the hacked Facebook accounts. Those apps and sites could then be ransacked by the cyber-attackers. It would be trivial: use the a stolen token to log into someone's Facebook profile, then log into sites and apps linked to that account.

In effect, every single Facebook user account was wide open to being hacked, although the Silicon Valley goliath estimated that "only" 50 million accounts were, in the words of a spokesperson, "directly affected." A further 40 million had their accounts "looked up." It has patched the hole, and logged out 90 million users to invalidate their access tokens. Facebook staff said it appears no posts were made on users' behalf by the hackers, and that no credit card information was taken. "We will update you as we know more," a representative told us.

The security hole was available through the "View As" option – where users can check how others might see their profile, allowing folks to make sure that their private stuff is private and public posts are visible. The biz's engineers discovered that hackers had found a hole that allowed hackers "to steal Facebook access tokens which they could then use to take over people’s accounts."

"This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017," the social network said in a statement.


Spiked


On a press conference held Friday morning in the valley, a Facebook representative went into greater details. The hole was the result of three different bugs: the first caused a video upload feature to appear on certain posts when it shouldn't have; the second caused that uploader to generate an access token; and the third, critically, caused the access token that was generated to be for the person that someone was looking up, rather than the actual user. That meant a third party was able to potentially directly access any user's account.

Facebook spotted the hole after it noted a suspicious "spike" in user activity on Tuesday. The attack was "fairly large scale," it admitted, and when it investigated the cause, it discovered hackers were using the site's API to automate the process of grabbing users' profile information.


Facebook said it went to law enforcement the next day, patched the hole soon after, and logged out all accounts that accessed the "View As" option since July 2017.

"We are constantly improving our security and this underscores the fact that there are constant attacks," said CEO Mark Zuckerberg. "We need to keep focusing on this over time."

This comes after a hacker in Taiwan threatened to live-stream over the internet on Sunday him hacking into Zuckerberg's Facebook account. He U-turned, and canceled the web video spectacle within hours of today's admission by Facebook.

Earlier this week, it emerged Facebook was using people's cellphone numbers, provided for two-factor authentication to target them with adverts, even though the numbers were only provided for security reasons rather than ads.


Updated


Following an afternoon press conference, it emerged that Zuckerberg and chief operating officer Sheryl Sandberg's Facebook accounts were among those hacked. Also, it was confirmed it was possible to use the swiped access tokens to log into connected apps and websites that used Facebook to authenticate the hacked users... oops!

Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Scaremongers anti tools giving away data

(placeholder)

Facebook Hack, hacks off Edinburgh Fringe performers

(placeholder)

HP Printer Malware Risk!

(placeholder)

MacSUPPORTplus Licenses Tech

(placeholder)

Don't Panic. Email Blackmail thwarted

(placeholder)

TalkTalk Blocking 3rd Party Support

(placeholder)