Sep 28, 2018

Facebook discloses major security flaw, could affect 50 million users

Illustration: Rebecca Zisser/Axios

Facebook today revealed a “security issue” in which a code flaw could have allowed hackers to take over upwards of 50 million user accounts.

“We face constant attacks from people who want to take over accounts or steal information…We need to do more to prevent this from happening in the first place."
— Facebook CEO Mark Zuckerberg, during a call with reporters.

The big picture: This is just the latest in a long string of recent problems for Facebook, including executive defections, social media interference, privacy concerns, and accusations of anti-conservative bias.

"The original investigation started when we saw a pattern of increased usage to the site and when we dug into that we found this was an attack exploiting that vulnerability."
— Guy Rosen, Facebook's vice president of product management

Why it matters: Facebook's headache is no longer about a third party brokering user data — this is about Facebook's code having a flaw that allows hackers to access personal information in user accounts. And there is nothing users can do about it from a security standpoint but let Facebook roll out an update.

The code vulnerability is related to the “view as” feature on profiles, where users can view their profiles through the eyes of someone else.

  • Facebook says the hack was produced by the interaction of three "bugs" introduced when Facebook updated the video upload feature in July, 2017.

The company does not yet know if information has been misused or accessed, which is something CEO Mark Zuckerberg reiterated during a media call.

  • Passwords were apparently not accessed. Neither was any credit card information.
  • Facebook says it has fixed the code vulnerability, and the "view as" feature is temporarily turned off.
  • The company says it is working with the FBI. It also alerted law enforcement in Europe, per new privacy rules there called GDPR, and the Department of Homeland Security.

Facebook says it first learned of the vulnerability this past Tuesday. On Wednesday it alerted authorities and on Thursday fixed the vulnerability and began resetting access codes.

Go deeper: Everyone unfriends Facebook

Correction: This story has been updated to specify the year of the hack and correct that the bug was in the video upload feature's code.

Go deeper

Coronavirus updates: CDC monitoring 4 presumptive positive cases in western U.S.

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens.

State public health authorities are monitoring four new presumptive positive cases of the novel coronavirus as of late Friday evening, per the CDC. California is evaluating a second possible instance of community spread as Oregon announced its first possible case. Washington state has two presumptive cases, only one of which is likely travel-related.

The big picture: COVID-19 has killed more than 2,900 people and infected more than 85,000 others in over 60 countries and territories outside the epicenter in mainland China. The number of new cases reported outside China now exceed those inside the country.

Go deeperArrowUpdated 1 min ago - Health

Don't panic

Illustration: Aïda Amer/Axios

The stock market is heading south with unprecedented velocity. Does that mean it's crashing? Are we in a recession? Is this a financial crisis?

No, no, and no.

Sanders' big socialism rebrand

Illustration: Sarah Grillo/Axios

Bernie Sanders is trying to rebrand socialism in the U.S., but he'll have to overcome common fears about what the word means — fears the Trump campaign is watching and waiting to exploit.

Why it matters: Sanders may face a major challenge in convincing Americans in their 40s or older that there's a meaningful difference between what he supports, described as democratic socialism, and the authoritarian socialism that we've seen in regimes like Venezuela.