Facebook Zero Day Flaw: Hackers stolen 50 Million Users Access Tokens

Written by Darshit Varotaria

I'm a Web Application Pentester, Security Researcher and Bug Hunter.

September 30, 2018

Facebook Zero Day Flaw lets hackers to stole 50 Million users Access Tokens!

Guys!! On Friday, we all got a shocking news about Facebook Zero Day flaw. About 90 Million accounts got logged out of Facebook automatically and 50 Million users access token got leaked.

In between, news was also exploded that a security researcher was broadcasting live on Facebook and he was going to be deleting Mark Zuckerberg’s Facebook account using the Zero day he found.

But he paused the broadcast and took a responsible step and reported that issue.

So, confusion arises that security researcher has already reported then how accounts got compromised?

Let’s clear the matter, Facebook was not only vulnerable to issues that was reported by security researcher, but it was affected by multiple vulnerabilities.

Also, the security researcher who responsibly reported issue has nothing to do with the breach. Being a security researcher, he helped by sharing the issue.

Regarding other vulnerabilities, it was stated that analysts at Facebook has noticed a sudden increase in traffic since the 16th of September and on further analysis they confirmed that it was an attack.

There were 3 vulnerabilities (Security Flaws) in Facebook:

  1. Video upload improper function offered when a user sends birthday wishes and click on “View As” option.
  2. Video uploading feature was generating “access token” using which a user can log into Facebook mobile application, which was not allowed.
  3. When you click on “View As” and select any user to view your profile from that user’s end, then the “access token” generated was not for you but it was for the user that you selected.

So, using that access token, you can have permission to access account of that selected user without any password or Two Factor Authentication required.

Access tokens are like the secret key to login inside any account. Every account has a unique token.

Facebook automatically logout 90 million users so that when they will have newly generated access tokens.

What steps you should take to secure your Facebook account?

  1. If you are one of the users whose Facebook account has automatically logged out, then I would suggest you to reset your password and login back with new credentials.
  2. If your Facebook account has not been logged out automatically, then also I recommend to reset the password and login back with new credentials as Facebook is currently investigating issues by collaborating with the FBI, so it’s better to be on the safe side.

Resetting password will generate a new access token so that if your access token might get leaked to hacker then also you will be safe as you will now have a new and old one will no longer be active.

Please share this article so that more people can get aware and can take necessary security steps.


If you want to step into Cyber Security and want to learn Web Application Pentesting, then don’t forget to check out my course (Link given below):

You May Also Like…


Submit a Comment

Your email address will not be published. Required fields are marked *