Yesterday, Facebook reported a
breach to their web service through a feature called “View As.” The feature
allows users to view their profiles as they appear to other people. The bug in this
feature allowed hackers access to “access tokens.” The tokens act as digital
keys allowing users to log into their accounts without needing to re-enter
their password.
Actions that Facebook says it took
yesterday were:
·
It removed the “View As” feature until it can
remove the bug allowing access to hackers.
·
It reset the access tokens of 50 million accounts
that the company knew were affected by the breach.
·
It also reset the access tokens of another 40
million accounts that may have been affected.
Another potential vulnerability because of this hack is the
ability to log into other web sites or apps using your Facebook identity. Facebook
says that it has not seen any evidence so far that the hackers were exploiting this
vulnerability. As a precaution, it did invalidate the access for third-party
app for the 90 million affected or potentially affected accounts.
Facebook says that there is no need to reset your Facebook
password. The Identity Theft Resource Center (ITRC) does recommend resetting
your Facebook account password. ITRC also recommends that you change the
passwords to any apps that you have connected to Facebook and that you revoke permission
for Facebook to connect to those apps.
For more information, check out these links,
Krebs on Security:
Identity Theft Resource Center:
No comments:
Post a Comment