Facebook's Security Slackness: A Cautionary Tale

With 500 million users offering up reams of personal data and ever-shifting and confusing privacy policies, Facebook is a tempting target for phishing and other nefarious activities. And it's no wonder given the company's attitude to security. When hackers find vulnerabilities in the service, don't expect any help from Facebook, which has adopted a "blame the user" mentality that refuses to acknowledge any possibility of a flaw in its own infrastructure.

I've learnt this the hard way after my Facebook account suffered from some sort of intrusion over the weekend. I managed to clean up the mess pretty quickly, but that was no thanks to Facebook itself. Trying to identify the source of the problem proved to be a lot trickier, largely because Facebook doesn't want to engage in any kind of meaningful dialogue about security with anyone.

The incident: WTF?

So here's what happened. On Sunday afternoon, I got an email from a friend saying that she'd received a "dodgy" email from me via Facebook, and suspected that meant something was wrong with my account. She forwarded me the mail, and it was indeed obviously dodgy:

There have been accounts of shady marketing companies phishing for data using gift cards from Best Buy and other retailers as bait before, and it's often said that installing third-party Facebook apps without carefully checking privacy settings can expose your personal data and make it easier to fake phishing messages including personal details. I hadn't installed any apps recently, so that didn't seem an obvious path.

But what was really odd (and disturbing) was that there were also two events added to Facebook listing me as "attending", even though I'd never done any such thing (or received an invite to an event myself). Events is an app Facebook develops and manages itself, so if it contains security vulnerabilities, then every user is potentially affected. I'm lucky that I have clued-up friends, because Facebook itself, despite occasionally boasting that it has advanced spam detection facilities, hadn't registered that there was anything wrong with the messages sent via my account.

I immediately did all the obvious things under the circumstances. I ran my antivirus software through a full scan to make sure my system hadn't been compromised (it hadn't, and my browser and OS are up-to-date as well). I changed my Facebook password. I posted a message on Facebook telling my friends to ignore any dodgy gift card emails, and I deleted the events from my own events list, so anyone who did click on the message wouldn't think I'd endorsed it. As far as I could tell, I'd cleared up the problem, but I was none the wiser as to how it had happened. It was time to contact Facebook.

The reaction: Silence and accusations

Normally when I encounter technology issues, I try to use the standard consumer reporting channels before pulling the "I'm a journalist" card and going directly to the company. On this occasion, I didn't do that. Firstly, I figured any information on a wider security issue would be worth reporting to a broader audience as quickly as possible. Secondly, my previous experiences with using Facebook's online reporting systems suggested that, to be blunt, the company pretty much ignores everything that gets sent to it. So I went directly to Facebook's Australian media contact, explained the issue and sought some comment.

After stalling for two days (a classic tactic to try and suppress bad news), Facebook told me it would not provide any response to a request for comment, other than a copy of a standard boilerplate statement about how it takes security seriously which said nothing whatsoever about this particular issue. It was unable to discuss what the source of the security vulnerability might have been or to advise if specific security settings in the Events app (which, let's remember, is coded by Facebook itself) could be set to improve its security. And it was unwilling to discuss why it wouldn't discuss the problem, other than to say it couldn't ever deal with individual issues. In other words: It didn't want to help at all, and it didn't even want to acknowledge there had been a problem.

Despite this silence and denial, flagging that I'd experienced a breach did result in Facebook placing a temporary block on my account some 24 hours later and not letting me log in again until I'd completed a verification check involving identifying friends in various photos. That's fair enough. What wasn't was the message which Facebook presented after I'd been through that process:

According to Facebook, my PC has definitely "been infected" with "harmful programs". No ifs, buts or maybes. No details of why it might think so. Just a straight out "there's a problem, and it's all down to you".

I could readily accept recommending running a scan to see if there's an infection, especially if Facebook provided a more detailed explanation for why that might be the case. But having run a full scan across my system when I'd become aware of the issue, I was confident that this wasn't true.

For Facebook to present an unqualified claim that my system had been infected, with zero actual investigation of my PC, in a scenario where a flaw in its own software was also a distinct possibility, seems like a classic case of blame-shifting. Actually, I'm being too generous there. It's self-serving, ill-thought-out bullshit, and the kind of messaging that is usually associated with fake antivirus software.

Something else to note. The standard statement Facebook issued to me said that "users who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts". At no point was I asked to reset my password. I'd done so myself earlier, but if Facebook truly was putting me through a standard process, why wasn't that step included? It would have been much more useful than what it did advise.

The lesson: in security, silence is not golden

I write quite a bit about information security (for both individuals and businesses), so I'm all too aware that sharing information is a balancing act. Offering up detailed descriptions of how a vulnerability can be exploited before it has been fixed can make it easier for others to exploit. But that concept always has to be balanced with the need to keep people informed. Major OS vendors regularly keep information about vulnerabilities private until a patch has been developed, but they invariably share the information afterwards. In that context, Facebook's silence tends to suggest it doesn't yet know where the vulnerability is.

The global computer security industry depends on information sharing. Security software companies might be commercial rivals, but when it comes to identifying issues and sharing solutions, they communicate readily and openly. Facebook's contrasting behaviour suggests that its sole interest is in trying to pretend that it cares about security, rather than actually doing anything constructive.

Facebook's blog post about its spam-detection systems (which, based on my experience, are flawed) talks about "the rare cases in which we make mistakes". Facebook's fundamental approach is a mistake, and it's a mistake that can potentially blight everything it does.

Many people have abandoned Facebook this year because of its high-handed approach to privacy. Right now, Facebook still feels a bit too valuable to me to leave: it's a great way of keeping in touch with friends I might easily neglect otherwise. But I'm going to find it difficult to trust for anything more complex than sharing status messages, and if I could persuade all my friends to move to Twitter instead, there'd be no turning back.

Had your own Facebook security drama? Tell us what happened and how you dealt with it in the comments.


Comments

    I hate Facebook's dealings with third party companies. Things like the Social Plugin feature makes drive-by viruses and other nasties a real and present threat. Especially when these "Like sites" such as fblike.com use names that are designed to confuse. For example: "John Doe likes Eating Lunch and Firefox on 9 other pages". The site is CALLED 9 other pages, not "this person likes x, y and 9 other pages". I know Facebook claims to work closely with these sites, but I bet my bottom dollar that they don't.

    Let's see how Google handles the Social Networking bit (asides from Orkut and Buzz, I mean)

    I had a similar response from Roam Tolling here in Sydney.

    I own a domain and each time I supply an email address, I tailor it to the company in question. For example, this comment will use [email protected]

    Days after I cancelled my Roam Tolling account I started to receive spam mail address to [email protected]

    Their response was that my system had been compromised by a 'hacker' and that I needed to run anti-virus software to remove it, just as Facebook have told you, despite the fact that the email address in question has never existed on my computer and was fabricated for my Roam account.

    I agree with you completely, it's blame shifting for one of two things;
    1) Roam or a Roam employee sold my email address once I cancelled the account
    2) Roam's records were compromised

    They refused any further comment and I have now blocked any mail sent to [email protected]

    Something similar happened to me a few months ago, except it was an email being sent out from my Hotmail account to all my Hotmail contacts. I have a deep suspicion Facebook is the culprit.

    A few weeks beforehand I responded to a "check which hotmail contacts are on Facebook" advertisement. It didn't seem strange to me at the time, but the ad appeared in Facebook's right-hand ad column as it seemed like a legitimate Facebook ad.

    I can't help thinking that this 'ad' was set up by a third party, which passed my details through to the real Facebook/Hotmail contact checker only after collecting my Hotmail username and password along the way.

    I immediately changed my Hotmail and Facebook passwords and haven't had a problem since...

    I really wish Facebook would let me opt right out of third-party apps, and opt out of allowing myself to be tagged in photos except by myself.

Join the discussion!

Trending Stories Right Now