So, recently Facebook officially announced that It has found a security bug in its code, which affected almost 50 million accounts.
Now yeah the number is pretty big, but what’s worse is the bug itself.
Link to official announcement from Facebook about this Bug : https://newsroom.fb.com/news/2018/09/security-update/
So, let me get it straight. This security bug allows anyone to login to anyone else’s Facebook account. Which means I can simply login to Mark Zuckerburg’s Facebook account without having to do anything complex.
So what is this bug? How dangerous and how dumb is it?
Well, if you guys don’t know about the “View As” tool on Facebook, its basically a tool using which you can see how your profile looks from some other person’s Facebook account, so that you can customise your profile accordingly and you get to know how your profile looks from your friend’s Facebook account.
Now, this feature is designed only as a view-as interface, which means it is designed only to let people know how their profile looks like from another person’s account. It does not allow anything else than just viewing the profile.
This feature is existing from long back on Facebook. And honestly I never used it anytime, because, I don’t know, I never found it useful, anyways.
So what happened is, when you go and use the View As tool, and select a specific person to view your profile. It displays a composer box where you can post something on Facebook. Now in this composer box, there exists a component using which you can post birthday wishes to someone. This component of the composer incorrectly gave the user an option to post a video.
So, what’s the big deal if you are given an option to post a video? Obviously, this is not going to affect anyone, because if you do post a video, it is still posted on your timeline only.
Well, here is the catch. Facebook released a new version of its video uploader, and this video uploader when used with the view-as option, incorrectly and un-intentionally generated the access token of the Facebook Mobile App. But wait, it is not generating your access token here, it is actually generating the access token of the person who you are using to see your profile with the view-as option. Which means, if I am using the view as option to see how my profile looks from Mark Zuckerburg’s Facebook account, then I am actually getting the access token of the Zuckerburg’s Facebook account!
And I can simply find this access token in the html of the page, because it is generated there by the video uploader.
And if you don’t know what is meant by an access token, it is simply a string value using which you can login to your Facebook account without having to enter your username and password. So, basically using an access token you get access to a Facebook account without the password.
I mean, isn’t it quite shocking how a big company like Facebook had this dumb security bug.
Like, seriously using this bug anyone can get access to anyone else’s facebook account by just using the view as tool. Nothing else need to be done. Now Facebook announced that it has actually discovered an external actor who has actually exploited this bug on Facebook. Which means that someone has found this bug before Facebook did, which is a bad thing.
So, anyways Facebook has now fixed this bug, and it has also logged out people from their Facebook account to make sure that their old access token will be expired, and can’t be used anymore if in case their account is hacked via this security bug.
Credits for the part of the video where I showed the View-As tool demonstration : Super Easy Tech Tips (YouTube channel)