Facebook Update on the Security Issue

    Facebook Update on the Security Issue


    Posted: 12 Oct 2018
    We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed. Today, we’re sharing details about the attack we’ve found that exploited this vulnerability. We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate.

    As we’ve said, the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As,” a feature that lets people see what their own profile looks like to someone else. It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

    Here’s how we found the attack that exploited this vulnerability. We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability. Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. As a precaution, we also turned off “View As.” We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.

    We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen. Here’s how it happened:
    First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

    The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.

    People can check whether they were affected by visiting our Help Center. In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.



    Customized messages that people will see depending on how they were impacted.

    This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities.


    Source: An Update on the Security Issue | Facebook Newsroom
    Brink's Avatar Posted By: Brink
    12 Oct 2018



  2. mrjimphelps
    Posts : 1,784
    Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
       New #1

    They never talk about the "elephant in the room" - Facebook is continually getting ever more of your personal data. For me, that is a major security breach.
      My Computer
    Quote Quote

  4. townsbg
    Posts : 1,851
    Windows 7 pro
       New #2

    If I'm reading this right the hackers created multiple accounts and friended everyone they could and those are the victims. I went to the link and it said that based on what they know I wasn't impacted. I'm not a friend collector. I have 32 friends and I know all of them personally (most are family). On top of that I have friend requests restricted to friends of friends rather than the general public. Maybe others should take a lesson from this. Know all of your friends and verify their account before friending them. When one of my friends created a second account I didn't accept the request until I verified that it was her. Call me paranoid but that worked out in my favor.
      My Computer
    Quote Quote

  5. Brds7t7
    Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       New #3

    That doesn't sound paranoid to me at all. When I did have a Facebook account, I didn't add any random people to my account. If I got a friend request and didn't know them I just deleted it.

    Really don't see the point in adding people I don't know. But I guess that's modern life, and how people "socialise" these days. I personally have no interest in strangers posting selfies of themselves 50 times a day, or posting photos of their lunch.

    If you're using it as a business account I can see the appeal. It's a good way to advertise your business these days. But, I've never really understood adding loads of random people to a personal account. Each to their own though.
      My Computer
    Quote Quote

 

  Related Discussions
Source: https://newsroom.intel.com/news/intel-offers-security-issue-update/
Security update KB4019263 deployment issue
in Windows Updates & Activation

Greetings to all Windows Updates lovers, we are facing issues with deployment of one important Microsoft security patch kb4019263 (windows6.1-kb4019263-x64_d64d8b6f91434754fdd2a552d8732c95a6e64f30.msu) from https://support.microsoft.com/en-us/help/4019263/windows-7-update-kb4019263 We solved...
Security update issue
in Windows Updates & Activation

Belarc reported: I am unable to follow this to obtain the fixes. Everything I try just explain what the updates are about. Can someone please unscramble this for me so I can implement the updates. Thanks. P.S. Microsoft Update is up to date. It does not resolve this issue.
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 14:05.
Find Us