Facebook: Why is the “View from the perspective of…” feature no longer available?

The control function “View from the point of view of…” has already disappeared from the scene for a few months - why?

With the “View from the perspective of…” function, you could find out on Facebook what your own Facebook profile looks like to the “public”.

Although Facebook users enjoyed using the function, it has been deactivated for months - why?

The reason is a hacker attack in September 2018 that affected 50 million Facebook accounts.

Guy Rosen, VP Product Management at Facebook wrote on September 28, 2018 :

On Tuesday afternoon, September 25th, our team discovered a security issue affecting nearly 50 million accounts. We take this incident very seriously and would like to share what happened and what measures we have taken to protect people's safety on Facebook.

We are still in the early stages of enlightenment. However, it is already clear that attackers have exploited a vulnerability in Facebook's code related to the View As feature. This function is used to view your own profile from another person's perspective. As part of the attack, Facebook access tokens were stolen, which were then used to take over accounts. Access tokens are like digital keys that people use to stay logged in to Facebook so they don't have to re-enter their password every time they open the app.

We have already taken the following measures:

First, we fixed the vulnerability and informed the authorities about it.

Second, we have reset the access tokens of the currently known affected accounts (almost 50 million) to protect them from misuse. Additionally, we are taking the precautionary step of resetting the access tokens for an additional 40 million accounts that had the View from View feature applied last year. As a result, around 90 million people now have to re-log in to Facebook or one of the apps that use Facebook Login. When they log back in, they will see a message at the top of their News Feed explaining the incident.

As a third measure, we have temporarily disabled the View from View feature while we conduct a thorough security review.

This attack exploited the complex interaction of multiple vulnerabilities in our code. This is due to a change we made to our video upload feature in July 2017, which in turn impacted View Viewed. The attackers not only had to find this vulnerability and use it to obtain an access token; They also had to switch from this account to others to steal more tokens.

Because we have just begun our investigation, we do not know at this time whether these accounts were misused and whether any information was accessed. We also don't know who is behind these attacks or where the attack came from. We are working diligently to find out these details and will update this post as soon as we have more information or if the facts change. Additionally, if we identify additional affected accounts, we will immediately reset their access tokens.

The privacy and safety of people on Facebook is very important to us and we would like to apologize for this incident. We took immediate action to protect the affected accounts and inform users of the events. There is no need to change the current password. All people who cannot log in to Facebook – e.g. B. because you have forgotten your password – you can find support in our help area. Additionally, anyone who wants to log out of Facebook as a precautionary measure should visit the “Security and Login” section in Settings. All apps and websites that our users are logged into via Facebook are listed there. Here you also have the option of logging out of all services with one click.

Pedro Canahuati, VP Engineering, Security and Privacy supplemented with technical information:

Below are some additional technical details about the security issue described previously.

Earlier this week, we discovered that an external actor had attacked our systems and exploited a vulnerability. This vulnerability resulted in Facebook personal account access tokens being exposed in HTML after our systems executed a specific component of the View As feature. The vulnerability resulted from the interaction of three separate flaws:

First, View As is a privacy feature that allows you to see what your profile looks like from someone else's perspective. “View As” is intended as an interface solely as a viewing function. However, in a particular “Composer” (the field through which you can post content to Facebook), namely the one for writing birthday wishes, “View As” incorrectly also offered the option to upload a video.

Second, a new version of our video uploader (the interface presented due to the first bug) introduced in July 2017 incorrectly generated an access token with permission to access the Facebook mobile app.

Third: The video uploader activated together with “View as” did not generate the access token for you as a viewer, but for the specified user that you are viewing in the function.

In the manner described, these three errors resulted in a vulnerability: When using the "View as" function to view the profile from another user's perspective, the code did not remove the composer that allows you to send birthday wishes to friends; the video uploader incorrectly generated an access token; and the access token generated was not issued to you, but to the person you selected in “View as”.

The attackers were then able to extract this access token from the HTML code of the page and misuse it to log in as another user. This allowed the attackers to switch from this access token to other accounts and obtain additional access tokens by repeating this process.

We've fixed this vulnerability so people's accounts on Facebook are safe. Additionally, we reset the access tokens of the nearly 50 million known affected accounts. Additionally, as a precautionary measure, we also reset the access tokens for an additional 40 million accounts that had the View As feature applied last year. As a final measure, we have temporarily disabled the View As feature while we conduct a thorough security review.