Insecure Code Cited in Facebook Hack Impacting Nearly 50 Million Users
Facebook recently announced a cyberattack that could have potentially impacted 50 million users. Click here to learn more!
Join the DZone community and get the full member experience.Join For Free
Veracode’s Chris Wysopal assumes that the attack was automated in order to collect the access tokens, given that attackers needed to both find this particular vulnerability to get an access token, and then pivot from that account to others in order to steal additional tokens.
In reviewing the available details, Veracode’s Chris Eng suggests that an educated guess could lead to the conclusion that having two-factor authentication enabled on the account may not have protected users. Given that the vulnerability was exploited through the access token as opposed to the standard authentication workflow, it is unlikely second-factor verification would have been triggered.
Facebook reportedly fixed the vulnerability and informed law enforcement of the breach and is temporarily turning off the "View As" feature while they undergo security checks. Additionally, the company has reset the access tokens to the affected accounts and is taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
Published at DZone with permission of Laura Paine, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.