How three bugs allowed hackers to compromise over 90 million Facebook accounts

Facebook states that the hacker took advantage of three bugs in Facebook’s systems.


On 28 September, Facebook reported that a hacker had gained access to over 50 million Facebook accounts and that another 40 million users could have been affected. The breach is just one in a long list of privacy issues affecting a platform that is home to the personal data of just about every internet-connected being on this planet.

The hacker seems to have taken advantage of Facebook’s “View As” feature, which is, ironically, a privacy feature designed to let you view your profile as someone else. The feature lets you fine-tune the access that other people have to your account data.

 How three bugs allowed hackers to compromise over 90 million Facebook accounts

Cardboard cutouts of Facebook CEO Mark Zuckerberg. Image: Reuters

Facebook states that the hacker took advantage of three bugs in Facebook’s systems:

  1. The ‘View As’ feature isn’t supposed to let anyone post anything, it’s only meant as a preview. A bug in the interface allowed users to post a video while using ‘View As’.
  2. Facebook updated the video uploader interface in July 2017, which “incorrectly” generated an access token (more on that later).
  3. The catch here is that you would gain an access token of the account you “viewed as”. If you were my friend and viewed my page as your profile using ‘View As’, I could potentially gain access to your Facebook account.

The access token can be thought of as a key to an account. It’s because of things like access tokens that we don’t need to sign in with our usernames and passwords every time we access our account from a mobile phone or personal computer. Someone with access to the access token to our account could, well, access our account.

Any website or app that used Facebook’s single sign-on feature was vulnerable once the token was leaked. This also includes apps like Instagram and Zomato, which carry yet more personal information.

Accounts so hacked could then be used to look up other accounts and gain access to those as well, leading to a data breach that can grow exponentially.

Facebook claims to have spotted the vulnerability when it saw an unusual spike in the use of the “View As” feature. To deal with the issue, Facebook has disabled ‘View As’ and deauthorised access tokens for 50 million affected accounts. Access Tokens for another 40 million accounts that may have been compromised by someone using the ‘View As’ feature were also disabled.

While Facebook seems to have responded promptly to the issue, the fact remains that one careless mistake, (or maybe 3, in this case), could have compromised the accounts of each and every one of Facebook’s 2 billion+ users.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.