One of the concerns raised by the recent Facebook hack was whether access tokens might have provided access to third-party apps. The company now says there is ‘no evidence’ that this has happened …
The company’s product management VP made the statement.
We’ve had questions about what exactly this attack means for the apps using Facebook Login. We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.
Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens.
The company says that it will be taking one further precautionary step.
However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.
Facebook has still said very little about what the attackers were able to do via the access tokens. It said at the time that its investigation into the Facebook hack was still underway.
Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement […]
Facebook’s investigation is still underway. While the flaw has been patched, it’s unclear to Facebook if the stolen tokens were used, and if so how many accounts were affected. In any case, Facebook has reset the access tokens for 90 million accounts, which means you may find yourself needing to log back in to the platform.
The company initially feared that the mechanism used may have allowed access to third-party accounts, and while this remains a theoretical possibility, it appears that it hasn’t happened in practice.