On September 28, 2018, the Facebook CEO Mark Zuckerberg updated in a Facebook Post that an attacker exploited a technical vulnerability in the Facebook interface. Consequently, the attacker stole access tokens through which it was possible to log into the accounts of 50 million Facebook users.
According to the CEO, the security vulnerability has been patched. The social networking site also took down the feature that had the security vulnerability. The feature was available in the Profile Section of the user, and it was called ‘View As.’ It would let the user see how the profile appears to other users.
There are also additional details posted in the Facebook NewsRoom by Guy Rosen. The details highlight three issues that enabled the hackers to exploit the vulnerability in the Facebook.
The first issue was that View As, that should have been the View Only feature, also allowed to post a video. It was in the interface where people can wish their friends a happy birthday.
The second issue was that a new video uploader, launched in July 2017, generated the permissions of accessing the Facebook mobile app.
The third issue was that when the video uploader was accessed through View As feature, the access token was also generated for the user you were looking up.
The current security breach is attributed to these three bugs in the Facebook system. An access token is a term frequently used in this news. It refers to digital keys that keep people logged in to Facebook.