When Facebook last weekend disclosed a massive data breach—that compromised access tokens for more than 50 million accounts—many feared that the stolen tokens could have been used to access other third-party services, including Instagram and Tinder, through Facebook login.
Good news is that Facebook found no evidence “so far” that proves such claims.
In a blog post published Tuesday, Facebook security VP Guy Rosen revealed that investigators “found no evidence” of hackers accessing third-party apps with its “Login with Facebook” feature.
“We have now analysed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login,” Rosen says.
This does not mean that the stolen access tokens that had already been revoked by Facebook do not pose any threat to thousands of third-party services using Facebook Login, as the company explains it depends upon how websites validate their users access tokens.
Many websites that do not use Facebook’s official SDKs to regularly validate their users access tokens could still allow attackers to access users’ accounts using revoked access tokens.
In order to help such websites, Facebook is building a tool that will enable developers to “manually identify the users of their apps who may have been affected, so that they can log them out.”
“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” Rosen says.
While announcing its worst-ever data breach last week, Facebook said unknown hackers had exploited a chain of vulnerabilities in its code to steal 50 million accounts tokens—digital keys that keep users logged in, so they don’t need to re-enter their credentials every time they use the app.
The social media giant fixed the issue on Thursday night and forcefully logged 90 million users out of their accounts as a precaution by resetting their access tokens.
images from Hacker News