Washington _ Agencies
On tuesday, September 25, the engineers "facebook " noticed a strange activity on the "servers " company, and after the investigation shows that there is a breach of approximately (50 million user Accounts/"facebook "!
How did the breakthrough happen and what should we do to confront him?
In the beginning and before going into the details, let me explain a technique used in "facebook " and in many other locations, this technology allows Third-party applications (which are programmed within "facebook ") a process of reciprocal communication between the data "facebook " and company data, for example the application "see how it appears No head hair ", or application " see how it looks after 40 years ", and other those applications. Simply in the event that the account holder uses this application, the site will be asked to sign in via "facebook " and during this registration process the user agrees to give the application the powers, such as the validity of the application to obtain the user name, the power to publish to his own account, and other powers, and from Here the exchange of user data is done with the Company.
The process of signing in to the application is only once, so using the application again will not require you to approve new terms of reference or follow-up, because once you give the application of the "facebook " power to generate a unique code that is not repeated permanently with any other user, this (code) uses a process allowance Log on each time, this code is called the "access token" Name.
technically, If anyone has access to a "facebook " user, he/she will be able to use this to read the User´s own data in succession to the terms of the previously mentioned examples, which the user has submitted to the application, including getting your date of birth, your name, and reading Your own publications, access to your photos, etc...
The company "facebook " has recognized that nearly 50 million users have been hacked through the use of tokens for their accounts, but the company has worked to terminate the tokens for approximately 90 million users as a precautionary measure, which means that the tokens with the hekers are Finished. Validity and Unusable.
How did the hekers get the tokens and how the hack was made?
"facebook " did not declare as usual the process of penetration with its technical details, but the company indicated that the process of penetration was through a video lift system provided to users in July 2017.
How did you find a theft (TOKENS) breach in facebook?
• firstly, there is an advantage in personal accounts called view as that allows you to see your own account of how it appears to non-friends, in other words, what data any non-friend can view when visiting or browsing your Account.
• second, This feature and wrongly from the "facebook " have a video upload property related to greeting a friend´s birthday.
• thirdly, the video upload feature provided by "facebook " in 2017, and through the video upload system, was generating (twken) specific to the application "facebook " for mobile devices, and displayed in the content of the page, inside (HTML)
If you use the view as feature to see another user account, the previous security flaw in the three vulnerabilities of the "facebook " generates a target account, not the Browser´s account, that is, the hkers used this security vulnerability to get about 50 million tokens.
How you handled "facebook " this loophole!
"facebook " first completed the validity of all (50) million users, and as a precautionary measure of (40) million other users, with a total of (90) million Users/"facebook ", by imposing a mass logoff process for (90) million users, and without doubt that there are many users who Tvagawa record Get out of the "facebook " without knowing why. also, View as has been temporarily disabled until a security check is made to ensure that it has no other loopholes.
Your account on the "facebook " unit has logged out without your intervention, what are you doing? Are you a hacker?
no, I´m Not compromised. your checkout was intended to disable all of the old tokens that link your account with the apps "facebook ", as your personal account password has not been completely disclosed. But there are some important things that the company did not mention, and you should follow them as tips, explaining to you the Following:
. We don´t know if the hekers have been able to use the tokens to collect 50 million users or not before the tokens expire before the "facebook ", This data includes the name, date of birth, and other special data related to you, especially your Email. In this case, you have to pay attention to the fact that the hekers are now likely to have captured your email linked to your Facebook account, here you have to make sure that your email contains the necessary protection, and I advise you to make a login to your email and activate the authentication The duo on it.
• The process of signing out of your account "facebook " terminates the tokens associated with your account, generated by "facebook " without your knowledge, such as the tokens stolen by the Hekers.
• As a precautionary measure, it is OK if you replace your new account password
What you should know about the "facebook tokens"-after a personal examination:
• Checkout process terminates the tokens generated within your personal account (profile).
• Checkout process does not terminate all tokens that are generated for your account in general, There are tokens remain effective even after the change of password, but these tokens can not be accessed by anyone except in the following cases:
1. One of them has the power to sign in to your personal account.
2. Install software on your own browser or implement a specific code by copying and pasting it into the browser console.
• The Tuken has an expiration period, which may be an hour or a month or more, and there is a (twken) never expires.
• Each (twken) is a set of numbers that express the user, application, and Powers. Twken cannot finally correspond.
• The Tuken is generated in two ways, the first of which comes through the process of logging into an application, and the other is generated automatically through the software "facebook ", for example, There is an ad application and (twken) another special for the mobile app.
