Facebook and Uber APIs Failure

APIs can become vulnerable, allowing hackers to take over the control of the system. This can be a root cause of API failure. The big tech companies have always been the target of hackers trying to access the data of millions of users. This lesson discusses events that occurred in recent years with Facebook and Uber because both companies had similar security vulnerabilities.

Facebook API failure

In 2018, Facebook discovered a massive data breach of 50 millionSee: https://about.fb.com/news/2018/09/security-update/ (the claim was later modified to about 87 million) accounts. The hackers used the video upload functionality created in 2017 by Facebook for the data breach. A feature called "View as" in users' profiles lets users see how their profile looks to other users. It also lets users customize it to see their profile through a specific user’s perspective through "View as."

How did it happen?

A vulnerability in Facebook's code impacted the "View as" feature by generating access tokens for Facebook users whose profile was being viewed along with other data. This enabled hackers to steal users' access tokens through which they got access to the private information of millions of users. Unfortunately for Facebook, their organization only learned about this after the “View as” feature was misused.