Facebook Says No Apps Were Accessed in Recent Hack
4.10.2018 securityweek Social
Facebook has shared another update on the hacker attack disclosed last week. The social media giant says there is no evidence that the attackers accessed any third-party apps.
Facebook revealed on September 28 that it had reset the access tokens for 90 million accounts, including 50 million that were directly impacted and 40 million deemed at risk.
Hackers obtained access tokens for nearly 50 million accounts after exploiting three distinct bugs in the View As feature, which shows users how others see their profile, and a video uploader interface introduced in July 2017. The vulnerability was patched and Facebook informed users in its initial blog post that it had found no evidence of misuse, but noted that its investigation is ongoing.
The company admitted that the attackers could have accessed not only Facebook accounts with the compromised tokens, but also third-party apps that use Facebook login. Resetting the tokens eliminated the risk of unauthorized access to these applications, but Facebook still had to figure out if any apps were accessed during the attack.
A blog post published by the company on Tuesday said there was no evidence of unauthorized access to apps based on an analysis of logs for all third-party apps installed or logged in during the attack.
Facebook has also created a tool to help developers determine if any of their users have been impacted.
“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” explained Guy Rosen, VP of Product Management at Facebook. “However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”
Facebook has advised developers to use its official SDKs for Android, iOS and JavaScript as these automatically check the validity of access tokens, and log their users out of the app when error codes show an invalid session.
Facebook has yet to provide any information on the attackers and their motives, and the attack does not appear to be targeted at a specific country or region.
The social media giant faces lawsuits and government investigations as a result of the incident, and the company’s stock has been steadily falling since the disclosure of the breach. It dropped from nearly $169 on September 27 to just over $159 on Tuesday.