Facebook ‘View As’ hackers didn’t access third-party app data

As of October 2nd, 2018, it appears that hackers only accessed Facebook’s first-party services

Menlo Park social networking giant Facebook said that its investigation into the ‘View As’ hack hasn’t revealed that hackers accessed third-party applications using Facebook Login.

An October 2nd, 2018 media release attributed to Facebook’s vice president of product management Guy Rosen explained that the social networking company’s investigation “has so far found no evidence that the attackers accessed any apps using Facebook Login.”

Rosen added that any developers using Facebook’s SDKs were “automatically protected” when the company reset user’s access tokens — the keys used to keep users logged in so they don’t need to re-enter their sign-in information each time they access a Facebook-linked application.

Facebook is also currently building a took that will allow developers to manually identify whether app users were affected, “out of an abundance of caution.”

According to Facebook, the ‘View As’ hack was the result of changes to Facebook’s video uploading feature.

Due to three specific bugs, hackers were able to use Facebook’s View As feature — which lets users see how others view their accounts — to generate access tokens that mimicked genuine accounts.

Facebook acted by resetting the access tokens of approximately 50 million users who were definitely affected by the hack, as well as an additional 40 million accounts that may have been affected.

Rosen told reporters during a September 28th, 2018 phone call that hackers had not accessed private messages or posts. No credit card information was accessed either.

A Toronto-based law firm has launched a class action suit against Facebook as a result of the hack.

Source: Facebook