Let’s face it – nothing is ever truly secure. We can make it as difficult as we want to deter attackers, but in the end, as long as the attacker is determined, they can and will eventually breach their targets. With that being said, Facebook’s track record in protecting their user data is abysmal at best. Not only have they been caught selling their own users’ data, but now the company has managed to leak the data of upwards of 50 million user accounts – the largest breach in the company’s history.
The attacker(s) elaborately chained together a series of bugs in order to accomplish their task, including one in Facebook’s “View As” feature, which was originally intended to allow users to view what their profiles appeared to the public whilst still logged in to their account. Another bug caused Facebook’s Video Uploader tool to appear on the “View As” page, which the attacker(s) could then use to generate an access token to the targeted account.
Normally, the role of the access token would be to keep the user logged in to their Facebook account on a device without having to enter their username and password every time. However, having gained the access token of the account, the attacker(s) could then trick the website into thinking that they had previously been logged in to the website, and to log them back in, thereby granting them total control of the account.
This breach has damaged Facebook’s already bad reputation, especially after the Cambridge Analytica scandal, and could be one of the killing blows for the social media giant’s diminishing user base.
According to Facebook, the vulnerabilities have already been fixed, but the damage has already been done. Although it is now considered safe to use, would you really trust a company who has been revealed to sell your data and breached several times.