On September 28th 2018, Facebook announced a vulnerability which could theoretically allow malicious actors to exploit a feature in Facebook’s site code called “View As,” which lets users see how their profile appears to other people.
According to the announcement, “this allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
A Facebook spokesperson confirmed that while it was technically possible that an attacker could have abused this bug to target third-party apps and sites that use Facebook logins, the company doesn’t have any evidence so far that this has happened.
Facebook proactively logged millions of customers out of their accounts, including Message users at Zendesk. The primary presumed impact at this point is the loss of communications in Message sent during the time between Facebook’s action and customers’ re-authorization. Neither Zendesk nor Facebook has determined that any malicious access was achieved. However, the investigation is ongoing and being led by Facebook.
It is highly recommended that any logins with past credentials be reported to firstname.lastname@example.org.
What you need to do
Zendesk integrates with Facebook pages and Facebook Messenger. Facebook auth is also used for Guide single sign on. This affected a subset of Zendesk accounts integrated with Facebook whose access tokens were reset, including users of Zendesk Message.
- If you do not use the Facebook integration or your Facebook account was not impacted, no action is needed.
- If your Facebook page account was impacted, you will need to fully re-authorize your account as described in this article.
- If your integration between Facebook Messenger and Zendesk Message was impacted, we recommend contacting email@example.com before re-authorizing.
Please note: Any tickets created from Facebook messages while your account was de-authorized will not come into Zendesk as tickets. If this a significant concern for you, please submit a ticket to firstname.lastname@example.org so that our team can work with you on a solution.