Audits

Facebook Partially Restores Privacy Feature Abused in Massive Breach

Facebook restores View As feature

Published

<p><span><span><img src="https://www.securityweek.com/sites/default/files/features/Facebook-Privacy.jpg" alt="Facebook restores View As feature" title="Facebook restores View As feature" width="675" height="392" style="vertical-align: top;" /></span></span></p>

Facebook this week informed users that it has partially restored a privacy feature abused by hackers last year as part of an attack that impacted 29 million accounts.

The social media giant informed customers in late September 2018 that hackers had exploited a series of vulnerabilities to steal tokens that could be used to access 50 million Facebook accounts. The company later told users that the attack, reportedly launched by spammers who wanted to make a profit through deceptive advertising, actually impacted only 29 million accounts.

According to Facebook, for 15 million of the affected users, the hackers accessed names, phone numbers and email addresses. For the remaining 14 million, they also accessed gender, hometown, date of birth, religion, and information on the places they had checked into.

In response to the breach, Facebook invalidated access tokens for nearly 90 million accounts and launched a tool that told users whether or not their account was impacted.

The attack involved three distinct flaws affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.

“View As” is a privacy feature that shows users how others, including specific friends or users they are not friends with (View As Public), see their profile. The feature is designed to help users ensure that they only share information with the intended audience.

Facebook disabled the “View As” feature following the massive breach, but it has partially re-enabled it this week. In an update to its initial blog post and on Twitter, the company said it restored the “View As Public” feature after completing its security review and determining that it was not involved in the incident.

The “View As Specific Person” feature remains disabled. However, Facebook says the “View As Public” version was much more popular. Facebook is likely restoring the feature gradually as it’s still not available to all users.

Advertisement. Scroll to continue reading.

Related: Industry Reactions to Facebook Hack

Related: Is Facebook Out of Control? Investigations and Complaints Are Rising

Related: Zuckerberg Defends Facebook in New Data Breach Controversy

Related: UK Regulator Hits Facebook With Maximum Fine

In this article:

Related Content

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version