A detailed anatomy of the hack that compromised Facebook's 50 million user breach

Yesterday, at least 90,000,000 Facebook users were forced to log back into the service without any explanation; later, the company revealed that at least 50,000,000 of them had been hacked, but wouldn't say how.

In a detailed anatomy of the hack based on an explanation provided by Facebook vice president of product management Guy Rosen, Motherboard's Lorenzo Franceschi-Bicchierai and Jason Koebler provide insight into the mechanics of the breach.

The vulnerability was in Facebook's somewhat esoteric "View as" feature. This feature allows Facebook users to assure themselves that the privacy settings they've chosen for their posts are working as intended. If you make a post that you want your parents to be able to see, but not your boss, "View as" will let you preview the post as if you were your boss, and then as if you were your parents, and confirm that you've got the confusing welter of Facebook privacy options right.

The attackers were able to exploit a bug in this feature to capture "access tokens" when they used "View as." By viewing a post as your boss, they could trick the system into generating an "access token" that they could use to actually login to Facebook as your boss. These access tokens are used to spare users the inconvenience of being prompted to log in to Facebook every time an app or window tries to connect them to their Facebook data.

Logging out of Facebook cancels outstanding access tokens, which is why Facebook logged 90,000,000 users out yesterday. Read the rest