Security Week 13: open passwords on Facebook

    Facebook has a problem with user data security. Again? Yes, as much as you can! On March 19, journalist Brian Krebs said the company had been storing user passwords for years in plain text ( news , Krebs article , Facebook official post ). Judging by the official statement and according to Krebs (received from an employee of the company who wished to remain anonymous), the database of open passwords was formed as a result of the actions of the developers.

    The password for your account was most likely in this database if you used the Facebook Lite application, but other options are possible. Facebook plans to notify all victims individually, suggesting a password change - these are “tens of millions” of Facebook and Instagram users.
    The database was discovered through a regular security audit and has been in existence since 2012. Social network users suffered conditionally: Facebook claims that no suspicious activity (database leak or illegal access by insiders) was recorded. Nevertheless, according to Krebs, obtained from an anonymous source, more than 9 million calls to the password database from two thousand developers were recorded inside the company.

    In general, a quote from the movie fits very well into this situation:


    Such a sharply negative assessment of the security situation on Facebook is possible only against the background of other troubles of the social network. It all started with the scandal with mass profiling of users by a third-party company Cambridge Analytica in 2018. After that, many features of the work of Facebook were discovered, which would be nice to improve in the context of the privacy of user data. These are problems with content moderation , and the operation of an advertising system that allows you to target people by phone numbers, and much more. On March sixth, network founder Mark Zuckerberg announcedradical changes in the social network, which in the future should become "focused on privacy." This is commendable, although one should not forget that the business model of the social network (and any other free network service) still depends on the sale of personal data of users to advertisers in one form or another.

    So, if you get distracted from this all, then the problem with passwords does not look so terrible - simply because many services regularly encounter such problems. Last year, Twitter asked to change the password for 330 million users - it turned out that passwords in clear text, before hashing, were stored in the internal logs of the social network. A similar problem with the logs occurred on Github. Instagram recently introduced the ability to download all user data (according to the requirements of GDPR) so that the password at a certain stage was transferred directly as part of the URL.

    It doesn’t seem to matter: Facebook claims that it’s not a fact that even with the correct password, an attacker can log into someone else’s account - the security system will work. Two-factor authentication also reduces the chances of unauthorized access. Our data is reliably protected - well, apart from other incidents that allowed, for example, logging into someone else's account without a password at all . And the problems of a frivolous approach to privacy, because of which our data is stored not only in network giants, but also in general from anyone.

    The requirements, which little by little are beginning to be made for large organizations such as Facebook, Google and Apple, are more serious than for smaller companies, because of the scale. Even a small problem or deficiency in their case affects the number of users equal to the population of not the smallest country. Apparently, it’s not even the security of an individual user’s account that matters, but the privacy of the user as a whole. Each message from the series “something went wrong again” makes one wonder: what else do they know about us? What data do they have access to? How are they used?

    And the point is not only that you are shown claw-point advertisements if you regularly write about cats. We do not even know what the widespread availability of user data on the network will lead to. A relatively small (Facebook was not mentioned there, so no one noticed) scandal occurred recently around the IBM face recognition algorithm. It turned out that the training was useddatabase of custom photos from Flickr. From a legal point of view, everything is clean, photos were distributed under a Creative Commons license. It seems that the generation of Internet users in the beginning of the 2000s will be the most documented: before that there was no technology, after that the newly developed privacy standards would no longer allow. The fact that technology is developing on the basis of our data with you is good. I would like to avoid a situation where the algorithms pumped up by information know users better than themselves, and use this not only for incredibly smart and useful services, but also for manipulation.


    Source .

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: