Facebook gives third-party apps the all-clear
Social network says SSO-slurping miscreants didn't reuse tokens on third-party apps
Facebook has toned down its Friday warning that stolen credentials could be used to compromise third-party apps.
Last week, the company 'fessed up to a bug in its “View As” feature that let miscreants harvest millions of account access tokens.
At the time, the Silicon Valley behemoth reckoned a mere 50 million accounts were “directly affected”, with a further 40 million “looked up”. All 90 million accounts were logged out so as to invalidate the tokens.
The bug could also have allowed an attacker to use the swiped tokens to access other sites or apps, if the site offered – and the account owner had used – a “log in with Facebook” feature.
Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy codeREAD MORE
That could have led to a very large breach, since University of Illinois, Chicago, researchers reckon there are more than 40,000 third-party Facebook apps (at Usenix in August, a team led by Jason Polakis published (PDF) research into hacking single sign-on products like the Facebook login).
In an update posted today, Facebook product management veep Guy Rosen said that didn't happen.
“We have now analysed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login”, Rosen wrote.
He added that third-party developers were also protected by the token reset, if they used official Facebook SDKs, or if they regularly checked the validity of user access tokens.
For developers doing neither of these things, Rosen said, “we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out”.
Recently-exited Facebook CISO Alex Stamos speculated that Friday's warning about third-party apps was a response to the GDPR's 72-hour disclosure rules.
He tweeted: “Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1) Announce & cop to max possible impacted users. 2) Everybody is confused on actual impact, lots of rumours. 3) A month later truth is included in official filing.” ®