This article was published on January 19, 2019

How 2018 became Facebook’s worst year in privacy and security


How 2018 became Facebook’s worst year in privacy and security

In early December, Facebook’s developer team declared the discovery of a security bug that gave developers access to photos users hadn’t shared on their timeline, including photos they had posted in Facebook Marketplace or Stories.

More worryingly, apps could find access to images users might have uploaded to Facebook but didn’t post anywhere. For example, this could be pictures you uploaded to a profile update you abandoned and did not complete. These are pictures that users haven’t shared with anyone.

According to Facebook, up to 1,500 might have made use of the bug and up to 6.8 million users might have been affected. According to TechCrunch, the bug ran for 12 days from September 13 to September 25, and Facebook reported it to the Office of The Data Protection Commissioner (IDPC), EU’s privacy watchdog, on November 22.

These bugs usually crop up when Facebook’s engineers make updates to the software’s code to add new features or fix old problems.

12 days might not be a very large time window, and the affected users are less than 1 percent of Facebook’s monthly active users. However, Facebook’s latest security mess-up is another reminder of the challenges of running a 2-billion-user-strong social media platform. The smallest slip can quickly find critical proportions, even if it covers a small part of Facebook’s audience.

And in this regard, Facebook has had a troubled year. As we close in on the end of the year, here’s a look back at Facebook’s privacy and security scandals in 2018. (We’ll update this post if Facebook happens to make the headlines again before 2018’s final two weeks run their course.)

Facebook bug accidentally changes post status to public

A bug that was present in Facebook’s composer, the dialog where users create new posts, between May 18 and 27 caused status updates to for some users to become viewable by everyone. Unless users explicitly change their profile settings, status updates are configured to be shared privately by default. This means only your friends can see what you post, unless you change a specific post for a public audience.

Facebook’s privacy bug, which was caused as the company’s developers were adding a “featured items” option to user profiles. While the feature was supposed to highlight select content and photos on user profiles, it accidentally switched the default audience of all new status updates to public. This means that the whole world would be able to view your sensitive, friends-only content unless you were vigilant enough to notice and switch the audience setting.

According to Facebook, the bug could have affected 14 million users. But it wasn’t clear what action would’ve exposed you to the bug (e.g. using a specific version of the app, maybe, or only the users who used the featured items option?) The company notified all users who might have been affected by the bug.

Facebook bug exposes user sessions to developers

Social media-facebook

At the end of September, Facebook revealed a bug that had existed in its API for over a year, which could enable a malicious developer to stage session hijacking attacks against target users. The bug was included in the “view as” feature which enables users to see which details other people can see when they visit their profile. Again, the bug was apparently caused by an update to the composer.

This vulnerability was especially dangerous because it needed no specific action from the targeted user. A malicious user only needed to use the API to call the “view as” feature on the targeted user, and they would generate a session token for that user. Session tokens enable you to use the application as if you were that user. This basically means an attacker could gain full access to the targeted user’s account, though they wouldn’t be able to perform some sensitive functions that require two-step verifications, such as changing passwords.

Approximately 90 million users could have been affected by the vulnerability. Facebook notified all of them. Interestingly, Facebook made the bug public at around the same time its engineers had found the image vulnerability mentioned at the beginning of the post.

Facebook bug lets websites read users’ likes and interests

In November, Facebook declared that it had fixed a vulnerability that enabled websites to pull profile information from the accounts of visitors. A researcher from cybersecurity firm Imperva developed a proof of concept that showed that Facebook had a cross-site scripting (XSS) vulnerability with which developers could access information such as a user’s likes when they visited their website. The access would be granted even if the targeted user had set their privacy settings to make that information private.

What the malicious developer had to do was embed a Facebook IFRAME in the malicious website, perform search queries, and use the XSS vulnerability to transfer information across domains.

Interests and likes can be used to gather information about the user for purposes such as advertisement, spying or developing tactics for phishing attacks.

Facebook fixed the bug after Imperva reported it and paid $8,000 to the researchers in bug bounty rewards.

Facebook’s Cambridge Analytica Scandal

We kept Facebook’s biggest scandal for the end, because technically it belonged to earlier years. However, the scale and details of the privacy breach only came to light this year.

In March, Guardian Observer and The New York Times revealed that Cambridge Analytica, an organization located in the U.K., had paid for a Facebook app that asked U.S. voters to take a personality quiz app. On the outside, the app was made for academic research purposes.

But the organization used the app to collect likes and other information about the users and their friends to trace psychological patterns and target the users with personalized advertising meant to influence their voting preferences in the 2016 U.S. presidential elections.

The organization even ran a job on Mechanical Turk, Amazon’s data-related tasks marketplace, and paid people to install the app and take the test. According to estimates, Cambridge Analytica was able to gather and mine the information of 50 million users.

The revelation caused rage and fury among U.S. politicians and Congress members and raised concern over Facebook’s role in undermining democracy. Facebook CEO Mark Zuckerberg was eventually brought before the U.S. Senate to answer questions about how his company handles user data.

Cambridge Analytica had breached Facebook’s terms and conditions for using its API and app development platform.

Facebook continues to grow

In the past few years, Facebook has earned bad reputation as a company that gobbles up and mines user data to fill the pockets of its rich executives. And we haven’t even covered the scandal that involved the legitimate uses of Facebook’s software, such as the political crises in Myanmar, Philippines and India.Given all the negative media coverage Facebook is getting, you would’ve thought that the company should have been destroyed and abandoned by its users.

But the reality is, despite its security and privacy struggles, Facebook has maintained its position as the dominant online social network, and it continues to grow at a steady rate. These facts don’t mean that Facebook is doing a sloppy job at securing its platform. In fact, the company employs some of the most brilliant engineers and security experts.

However, Facebook’s worst year in security proves that with great responsibility comes great exposure. When you’re the primary source of news and communications for billions of users, every small mistake can have ripple effects that affect millions of users.

This story is republished from TechTalks, the blog that explores how technology is solving problems… and creating new ones. Like them on Facebook here and follow them down here:

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with