Skip to content
Naked Security Naked Security

Facebook restores disabled ‘View As’ feature used in 2018 breach

The feature still lets you see how others see you, but without leaking access tokens.

Facebook is reviving a version of a privacy feature that it disabled last year after hackers exploited it to steal users’ access tokens – the keys that allow users to stay logged into Facebook without having to re-enter their password every time they use the app.

The stolen access tokens granted attackers access to all of the affected users’ data, including anything you can see, read, download or change when you log in to Facebook.

Facebook discovered the breach in September.

Initially, the company thought that 50 million accounts had been affected, and it reset another 40 million as a precautionary step. In October, it downgraded the number to about 30 million accounts – still a huge number of users whose phone numbers, emails and other information were compromised.

On Tuesday, Facebook updated its initial blog post about the breach to say that it’s completed a security review and is re-enabling a version of the “View As” feature that hadn’t been affected by the security incident.

The cruel irony of the data breach was that the whole idea of “View As” was to help people improve their privacy and security by allowing them to see how they look to the outside world.

The “View As Public” feature lets people see what their profile looks like to people they aren’t friends with on Facebook. Not only was the restored version unaffected by the breach, but this version was also “significantly more popular” than Facebook’s “View as Specific Person” feature, Facebook says.

The company is also adding an “edit public details” button to make it easier for users to find settings that allow them to control the profile information that the public can see.


Just as an FYI for facebook users on mobile. They only reason (I know of) to install their app is to use their messenger. However you don’t need to. You can hold your finger on the Stop/Refresh browser Icon, a pop up will come up offering to “Request Desktop Site” once you accept you can access the chat just like on a PC. However, once you leave that open page, you will have to do it again. I see no use for their app other than giving them full access to your device.


Thanks for that tip! Until now I’ve been waiting until I get home to use my PC to check Facebook messenger messages rather than installing the Facebook app on my mobile.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!