Originally published at The Atlantic

More bad news: Facebook has announced that a security exploit allowed attackers to gain control of at least 50 million user accounts.

According to the company, the exploit impacted a feature that lets users see what their profile looks like to another user. In this case, the breach doesn’t appear to involve extracting data from servers. Instead, the defect—introduced by a change to the way videos get uploaded—allowed users to gain control of a user’s account directly, without a password. Facebook says they have fixed the vulnerability and taken steps to protect other users who could have been impacted. “We’re taking this incredibly seriously,” Guy Rosen, Facebook’s vice president of product management, wrote on the company’s behalf.

This is not great. Someone who gains access to your Facebook account can see all your posts, your friends, your contact info, your messages, and more. They can also take actions on your behalf—and access other services you have logged into via Facebook. A determined attacker could make creative use of selectively targeted Facebook users. Just think of the worst thing someone might find on your own Facebook account. Now imagine the same thing for your spouse, your children, your boss, or your friends. That’s not all, though: As the New York Times’s Gabriel Dance showed, these tokens can also be used to scrape data from an account’s friends.

continue reading at The Atlantic

published September 28, 2018