Everyone who could be affected by the error was asked to re-authorize the social network.
The company has just begun an investigation, the exact cause of the error is unknown. Just in case, the social network “threw” 40 million people from the site, forcing them to log in again.
The social network explained that it takes the problem “incredibly seriously” and wants everyone to know what happened. The bug allowed to steal access keys (tokens) to the page and use them to capture the profile. As explained on Facebook, tokens can be considered digital keys that allow users to remain authorized on the site without having to log in again each time.
The service said that he immediately took several actions to solve the problem: he closed the vulnerability and informed law enforcement agencies. In addition, the company has reset access keys for 50 million people and is preparing to do the same for another 40 million users – they all have to re-enter the social network with a password.
Users will be “thrown out” from all applications where they have been authorized via Facebook, for example Tinder or Facebook Messenger. After logging in to the top of the news feed, they will see a notification of what happened.
The company has also disabled the feature, which contained the vulnerability and conducts a thorough investigation. As explained on Facebook, the attack involved the use of several problems in the code at once. According to preliminary information, the error appeared, including due to changes that were made in July 2017 during the update of the video download interface.
Facebook has noted that they do not yet know whether anyone was able to exploit this vulnerability. The company’s engineers have promised to tell about it when they themselves understand the situation.