Anatomy of a Breach

Anatomy of a Breach: Facebook — 50 Million Access Tokens Stolen Through a 'View As' Vulnerability

> series: anatomy_of_a_breach —— part: 118 —— target: facebook —— tokens_stolen: 50,000,000 —— vulnerability: view_as_feature<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2018 12 min read
data-breach facebook access-tokens vulnerability-chain 50-million gdpr-notification series
Breach #118

50 million access tokens. Three chained vulnerabilities. Full account takeover.

On 28 September 2018, Facebook disclosed that attackers had exploited a chain of three vulnerabilities in the platform's 'View As' feature — which allows users to see how their profile appears to others — to steal access tokens for approximately 50 million accounts. Access tokens are the digital keys that keep users logged in to Facebook; possessing a user's access token allows full account access without needing their password. Facebook forced a token reset for 90 million accounts (including 40 million as a precautionary measure).

The attack chained three bugs: a flaw in the video uploader that appeared in the 'View As' mode, a vulnerability that caused it to generate an access token with the permissions of the user being 'viewed as' (rather than the viewer), and a third flaw that allowed the generated token to be extracted. The vulnerability chain had been introduced in a code change in July 2017 — meaning it had existed for over a year before discovery. The breach was reported to the Irish Data Protection Commission under GDPR's 72-hour notification requirement — one of the first major breaches to test the new framework.

Vulnerability Chaining
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Three bugs. Individually minor. Together, catastrophic.

The Facebook breach demonstrated vulnerability chaining — the combination of multiple individually minor bugs into a critical exploit. No single vulnerability in the chain would have been catastrophic alone; together, they enabled full account takeover of 50 million accounts. This is exactly why our web application testing examines the interactions between features, not just individual vulnerabilities — because the most dangerous flaws are often chains, not single bugs.

Chain Attacks Are Hard to Find
Automated vulnerability scanners would not have identified this vulnerability chain — it required understanding the interaction between the video uploader, the 'View As' feature, and the access token system. This is why manual <a href="/penetration-testing/web-application">penetration testing</a> by skilled testers remains essential alongside automated tools.
Access Tokens = Full Account Access
Stolen access tokens provided full account access — no password, no MFA required. Tokens are bearer credentials: whoever possesses the token has the access. For organisations implementing token-based authentication (OAuth, JWT), our <a href="/penetration-testing/api">API testing</a> assesses token security, expiry, rotation, and scope controls.
72-Hour GDPR Notification
Facebook reported the breach to the Irish DPC within the 72-hour window — one of the first major tests of GDPR's notification requirement. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables the rapid detection that makes 72-hour notification achievable.
Second Major Facebook Incident in 2018
Coming six months after <a href="/blog/anatomy-of-a-breach-cambridge-analytica">Cambridge Analytica</a>, the access token breach further eroded trust in Facebook's security and privacy practices. The cumulative impact of multiple incidents within a single year demonstrates why ongoing <a href="/penetration-testing">security testing</a> — not one-off assessments — is essential.
Lessons

Test the interactions. Not just the individual features.

The Facebook breach teaches that security testing must examine feature interactions, not just individual components. Vulnerability chaining — where minor bugs in different features combine into critical exploits — requires the kind of creative, manual testing that automated scanners cannot replicate. Our web application penetration testing includes logic testing, authentication flow analysis, and cross-feature interaction assessment.

API testing assesses token security and session management. Cyber Essentials establishes baseline application security. SOC in a Box monitors for anomalous authentication patterns that indicate token theft. And UK Cyber Defence provides incident response when token compromise is detected.

Application Logic Testing

Three minor bugs chained into 50 million account takeovers. Has your application logic been tested?

Our <a href="/penetration-testing/web-application">web application testing</a> examines feature interactions and vulnerability chaining. <a href="/penetration-testing/api">API testing</a> assesses token security.

Commission an Application Test Next: Marriott / Starwood
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2013

Anatomy of a Breach: LivingSocial — 50 Million Accounts and the Daily Deals Data Haul

Breach #053. In April 2013, daily deals website LivingSocial disclosed that attackers had compromised approximately 50 million customer accounts — names, email addresses, dates of birth, and bcrypt-hashed passwords. The breach of the Amazon-backed platform demonstrated that even companies with strong password hashing could suffer massive data theft when network security fails.

data-breach livingsocial
11 min read
Anatomy of a Breach 28 February 2013

Anatomy of a Breach: The Silicon Valley Watering Hole — When Apple, Facebook, and Twitter Were All Hacked at Once

Breach #050. In February 2013, Apple, Facebook, and Twitter all disclosed that their employees' computers had been compromised through a single attack vector: a watering hole attack targeting the iPhoneDevSDK developer forum. Attackers had injected a Java zero-day exploit into the forum, infecting the machines of developers from all three companies when they visited the site. The breach demonstrated that targeting the websites your victims visit is often more effective than targeting the victims directly.

data-breach watering-hole
12 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
All Posts Get in Touch