In response to the security attack Facebook uncovered in late September, Facebook has released ASID security check scripts. Although Facebook has fixed the vulnerability, this ASID security check scripts allow app developers to manually identify if any of their users may have been affected by the attack.
While Facebook reported that 50 million access tokens were stolen, and Facebook reset tokens for the 50 million and an additional 40 million (meaning 90 million users needed to log back in after the Facebook fix), Facebook has now reported that there is no evidence that suggests the attackers accessed any apps via Facebook Login.
The ASID security scripts were built for apps that do not use Facebook SDKs but utilize Facebook for login functionality. The scripts are command-line scripts that allow developers to check whether their app users were compromised in the September attack. To read more and download the scripts, click here.
The scripts accept three inputs: the Facebook-enabled apps' app secret, local path to file downloaded from an app page, local path created by the app developer. With those three inputs provided to Facebook, Facebook can tell whether the sessions were affected and need to be invalidated.