Social network Facebook announced the discovery of vulnerabilities through which attackers could steal about 50 million accounts the social network.
A vulnerability has been discovered in the function «View as…» in the second half of day on September 25. «View as…» allows users to look at your page through the eyes of another user.
Attackers could use it to obtain access tokens through which is authenticated to the account Facebook without having to enter a password. They are used, for example, in applications to avoid re-authentication.
After discovering the vulnerability has been fixed. Along the way, Facebook did notify law enforcement, closed the function «View as…» and has introduced a compulsory authentication for 90 million records, 40 million are additional accounts that used the function «View as…» in the past year.
Facebook emphasizes that the investigation of the incident has only just begun. It remains to be seen whether the 90 million accounts are really compromised.