In the last few days we have repeatedly received inquiries from Facebook users about the topic “Ads from the perspective of…”

Note: With Facebook's “View from the perspective of…” function, you can find out how other users see your own profile or what your own Facebook profile looks like to the “public”. ( Link to Facebook Help )

Yes, it's true, Facebook has temporarily disabled this feature!

The reason for this is the hacker attack that affected 50 million accounts. Facebook published the following information on September 28, 2018:

We (Facebook) have discovered that an external actor has attacked our systems and exploited a vulnerability. This vulnerability exposed Facebook private account access tokens in HTML after our systems executed a specific component of the View As . The vulnerability resulted from the interaction of three separate flaws:

Screenshot: Facebook "Ads from the perspective of..."

Screenshot: Facebook “Ads from the perspective of…”

First:

View As is a privacy feature that allows you to view your profile from someone else's perspective. “View As” is intended as an interface solely as a viewing function. However, in a particular “Composer” (the field through which you can post content to Facebook), namely the one for writing birthday wishes, “View As” incorrectly also offered the option to upload a video.

Second:

A new version of our video uploader (the interface presented due to the first bug) introduced in July 2017 incorrectly generated an access token with permission to access the Facebook mobile app.

Third:

The video uploader activated together with “View as” did not generate the access token for you as a viewer, but for the specified user that you are viewing in the function.

In the manner described, these three errors resulted in a vulnerability: When using the "View as" function to view the profile from another user's perspective, the code did not remove the composer that allows you to send birthday wishes to friends; the video uploader incorrectly generated an access token; and the access token generated was not issued to you, but to the person you selected in “View as”.

The attackers were then able to extract this access token from the HTML code of the page and misuse it to log in as another user. This allowed the attackers to switch from this access token to other accounts and obtain additional access tokens by repeating this process.

We've fixed this vulnerability so people's accounts on Facebook are safe. Additionally, we reset the access tokens of the nearly 50 million known affected accounts. Additionally, as a precautionary measure, we also reset the access tokens for an additional 40 million accounts that had the View As feature applied last year.

As a final measure, we have temporarily disabled the View As feature while we conduct a thorough security review.

Source: Facebook


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )