Third Party Apps Unaffected by Facebook Breach

by Chris Brook on Wednesday October 3, 2018

Contact Us
Free Demo
Chat

Facebook said Tuesday it has no evidence that third-party sites that use Facebook Login were affected by last week's massive breach.

Lost in the haze of last week's Facebook fiasco was whether or not third party apps that leverage Facebook Login were compromised along with users' login tokens.

The company put users' fears to rest on Tuesday when it said that as far as it can tell it has no evidence the attackers accessed any apps using Facebook Login. Guy Rosen, Facebook's VP of Product Management, said the company carried out an analysis of logs for third party apps that were either installed or logged in during last week's attack to arrive at that conclusion.

Countless apps, like Instagram, Spotify, and Airbnb, use the feature, which allows users to login to services with their Facebook credentials but it was unclear until Tuesday whether those were affected.

Rosen stressed that services that use the company's SDK were protected when it reset affected users' access tokens last Tuesday.

In case you missed it, a trio of bugs forced Facebook to reset access tokens for 90 million of its accounts, 50 million of which had their tokens stolen, and 40 million who fell victim to a "View As" flaw, last week.

All three of the bugs stemmed from a change the company made to its video uploading feature in July 2017 and afforded attackers the ability to steal access tokens and in turn, takeover other accounts.

The “View As” privacy feature on Facebook allows users to test out what their profile would look like if viewed by any particular user. The feature is especially helpful for users who are selective of whom they share personal data with.

For what it’s worth Facebook said it's in the process of building a tool to help developers who may not use the SDKs or ensure whether Facebook access tokens are valid, to determine if any of their users are affected.

This whole debacle has been brutal but it’s worth lauding Facebook for being transparent about it. The company followed up its initial disclosure around the incident on Friday with a post that afternoon which dug into the specifics of the attack, namely how the video uploader service generated user access tokens when it shouldn't have. That made the token available in HTML, and allowed attackers to extract it and exploit it, from account to account.

The attack happened more than a week ago but for all intents and purposes it's still unclear who may have been behind it or whether any information may have been misused or accessed.
The hits keep coming for Facebook.

The news comes a week after researchers from Northeastern University and Princeton University revealed that Facebook was harvesting phone numbers meant for two-factor authentication, and shadow contact information, and using them for targeted advertising.

The incident also comes amid a debate in the EU around whether or not the company breached the General Data Protection Regulation (GDPR). The Irish Data Protection Commission said this week it’s weighing whether or not to open a formal probe into the breach as 10 percent of the 50 million accounts that were accessed were based in the EU.

A week before that, in light of this spring’s Cambridge Analytica scandal, the EU Parliament's civil liberties and justice committee said it was going to ask Facebook for a full and independent audit around how it handles personal data and data protection.

Tags: Social Media Security

Recommended Resources


  • Understand technologies that enable compliance
  • Common pitfalls and challenges to be aware of
  • How to build a sustainable GDPR compliance program
  • The people, process, and technology impacts of GDPR
  • The top challenges to GDPR compliance
  • How to address them and improve your GDPR position

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with nearly a decade of experience writing about information security, hackers, and privacy. Prior to joining Digital Guardian he helped launch Threatpost.