The most recent Facebook hack is way worse than you probably realize
jason polakis@jpolakis
· Sep 29, 2018
Replying to @jpolakis
In our experiments we demonstrated how the Facebook iOS app was exposing the session tokens over unencrypted connections, while in this attack the root cause is a complex combination of three different bugs as explained here: https://newsroom.fb.com/news/2018/09/security-update/#details … (3/n)
Security Update | Facebook Newsroom
We're taking this security issue incredibly seriously and wanted to let everyone know what's happened.
newsroom.fb.com
jason polakis@jpolakis
An unexpected finding during our experiments was that when attackers use hijacked FB tokens (i.e., cookies) to access the user’s FB account, the attacker’s session *didn’t* show up in the list of active sessions if the attacker stayed connected for less than 60 mins. (4/n)
12:48 PM - Sep 29, 2018
239
156 people are talking about this
- “Check “Where you’re logged in” for suspicious sessions. If you see any, click the dots beside the session and then click ‘Not You?’ to report it to Facebook.
- While there, you can get notifications if someone tries to access your Facebook profile in the section titled ‘Setting Up Extra Security.'”
Published October 9, 2018
Join the discussion — please keep to our Community Guidelines.