Facebook has recently reported that external actors have exploited a bug in its system to gain access to more than 50 million users. Apparently, three different bugs were used together to get access-token of the affected users that lets the attackers login to Facebook without needing the user’s password. Though Facebook is still investigating what data the attackers could have gotten, considering the fact that the access-token is powerful (it has the permission of the Facebook mobile app), we can assume they’ve got everything. However, apart from getting user data, the attacker could have also performed several (automated/manual) actions using the affected user’s account including costing money! The following are off the top of my head assuming 50 million user acounts:
Bypass Facebook News Feed algorithm
We know the Facebook News Feed algorithm favors posts that have initial momentum (reactions, comments and shares). Thus, that attackers could have used the affected users’ accounts to generate fake reactions, comments and shares in order to fool the algorithm.
Sell Facebook Page Likes
In order to increase a Facebook Page’s Likes, one has to pay for Facebook and advertise the Page to a given audience that most likely will like the Page. However, using the 50 million accounts, the attackers could bypass Facebook advertisement and sell Likes directly to their users. Well, this could also apply for the first case, where the attackers sell traction.
Takeover users Facebook Pages and Facebook Groups
Imagine having a Page with millions of Likes that you spent money on and because of a bug on Facebook system, the attackers take control of and remove you from the admins list? Though Facebook might restore ownership, it is reported that it is not that simple to get back.
Use configured Facebook ad account
This actually will cost money to the user. If a user has a configured ad account, the attackers could use it to promote something that costs money. Moreover, the attackers could advertise something that violates Facebook’s policy and get the users ad account disabled.
According to the notification I received on Facebook, I am one of the 50 million affected users. Though Facebook is still working on it, I tried to go through the possible places where I could see if my account was used to perform some actions. For now, it seems fine. But I can’t say anything about the data they have.
Stay safe on this unsafe platform.