Vulnerability in View As feature Facebook gave access to 50 million accounts

A vulnerability in Facebook’s ability to view profiles as someone else made it possible to take over accounts of nearly 50 million users. The affected users will receive a notification.

Facebook says attackers exploited a code vulnerability in the View As functionality that allowed them to get their hands on access tokens. These tokens are normally used to prevent legitimate users from having to log in every time.

According to Facebook, the vulnerability has been fixed and the authorities have been informed. It’s not clear what the attackers did with the accounts they had access to, nor is it clear how many accounts were compromised.

Facebook reports that almost 50 million accounts were vulnerable. The social network has reset the access token of these accounts. Facebook has also reset the token of 40 million other accounts that used the View As function in the past year, it says as a precaution.

The 90 million users whose access token has been reset have to log in again and receive a notification at the top of their news feed with an explanation when they have done so. Facebook is temporarily turning off the View As function and says it is investigating its security extensively.

According to Facebook, the attack uses the “complex interaction of multiple issues in the code.” The vulnerability is said to stem from changes made to the video upload functionality in July 2017.

Facebook says the investigation is still in an early phase and says it has yet to determine whether accounts have been abused. The social network does not know who is behind the attack. Changing passwords is not necessary according to Facebook.