With 500 million users offering up reams of personal data and ever-shifting and confusing privacy policies, Facebook is a tempting target for phishing and other nefarious activities. And it’s no wonder given the company’s attitude to security. When hackers find vulnerabilities in the service, don’t expect any help from Facebook, which has adopted a “blame the user” mentality that refuses to acknowledge any possibility of a flaw in its own infrastructure.
I’ve learnt this the hard way after my Facebook account suffered from some sort of intrusion over the weekend. I managed to clean up the mess pretty quickly, but that was no thanks to Facebook itself. Trying to identify the source of the problem proved to be a lot trickier, largely because Facebook doesn’t want to engage in any kind of meaningful dialogue about security with anyone.
The incident: WTF?
So here’s what happened. On Sunday afternoon, I got an email from a friend saying that she’d received a “dodgy” email from me via Facebook, and suspected that meant something was wrong with my account. She forwarded me the mail, and it was indeed obviously dodgy:
There have been accounts of shady marketing companies phishing for data using gift cards from Best Buy and other retailers as bait before, and it’s often said that installing third-party Facebook apps without carefully checking privacy settings can expose your personal data and make it easier to fake phishing messages including personal details. I hadn’t installed any apps recently, so that didn’t seem an obvious path.
But what was really odd (and disturbing) was that there were also two events added to Facebook listing me as “attending”, even though I’d never done any such thing (or received an invite to an event myself). Events is an app Facebook develops and manages itself, so if it contains security vulnerabilities, then every user is potentially affected. I’m lucky that I have clued-up friends, because Facebook itself, despite occasionally boasting that it has advanced spam detection facilities, hadn’t registered that there was anything wrong with the messages sent via my account.
I immediately did all the obvious things under the circumstances. I ran my antivirus software through a full scan to make sure my system hadn’t been compromised (it hadn’t, and my browser and OS are up-to-date as well). I changed my Facebook password. I posted a message on Facebook telling my friends to ignore any dodgy gift card emails, and I deleted the events from my own events list, so anyone who did click on the message wouldn’t think I’d endorsed it. As far as I could tell, I’d cleared up the problem, but I was none the wiser as to how it had happened. It was time to contact Facebook.
The reaction: Silence and accusations
Normally when I encounter technology issues, I try to use the standard consumer reporting channels before pulling the “I’m a journalist” card and going directly to the company. On this occasion, I didn’t do that. Firstly, I figured any information on a wider security issue would be worth reporting to a broader audience as quickly as possible. Secondly, my previous experiences with using Facebook’s online reporting systems suggested that, to be blunt, the company pretty much ignores everything that gets sent to it. So I went directly to Facebook’s Australian media contact, explained the issue and sought some comment.
After stalling for two days (a classic tactic to try and suppress bad news), Facebook told me it would not provide any response to a request for comment, other than a copy of a standard boilerplate statement about how it takes security seriously which said nothing whatsoever about this particular issue. It was unable to discuss what the source of the security vulnerability might have been or to advise if specific security settings in the Events app (which, let’s remember, is coded by Facebook itself) could be set to improve its security. And it was unwilling to discuss why it wouldn’t discuss the problem, other than to say it couldn’t ever deal with individual issues. In other words: It didn’t want to help at all, and it didn’t even want to acknowledge there had been a problem.
Despite this silence and denial, flagging that I’d experienced a breach did result in Facebook placing a temporary block on my account some 24 hours later and not letting me log in again until I’d completed a verification check involving identifying friends in various photos. That’s fair enough. What wasn’t was the message which Facebook presented after I’d been through that process:
According to Facebook, my PC has definitely “been infected” with “harmful programs”. No ifs, buts or maybes. No details of why it might think so. Just a straight out “there’s a problem, and it’s all down to you”.
I could readily accept recommending running a scan to see if there’s an infection, especially if Facebook provided a more detailed explanation for why that might be the case. But having run a full scan across my system when I’d become aware of the issue, I was confident that this wasn’t true.
For Facebook to present an unqualified claim that my system had been infected, with zero actual investigation of my PC, in a scenario where a flaw in its own software was also a distinct possibility, seems like a classic case of blame-shifting. Actually, I’m being too generous there. It’s self-serving, ill-thought-out bullshit, and the kind of messaging that is usually associated with fake antivirus software.
Something else to note. The standard statement Facebook issued to me said that “users who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts”. At no point was I asked to reset my password. I’d done so myself earlier, but if Facebook truly was putting me through a standard process, why wasn’t that step included? It would have been much more useful than what it did advise.
The lesson: in security, silence is not golden
I write quite a bit about information security (for both individuals and businesses), so I’m all too aware that sharing information is a balancing act. Offering up detailed descriptions of how a vulnerability can be exploited before it has been fixed can make it easier for others to exploit. But that concept always has to be balanced with the need to keep people informed. Major OS vendors regularly keep information about vulnerabilities private until a patch has been developed, but they invariably share the information afterwards. In that context, Facebook’s silence tends to suggest it doesn’t yet know where the vulnerability is.
The global computer security industry depends on information sharing. Security software companies might be commercial rivals, but when it comes to identifying issues and sharing solutions, they communicate readily and openly. Facebook’s contrasting behaviour suggests that its sole interest is in trying to pretend that it cares about security, rather than actually doing anything constructive.
Facebook’s blog post about its spam-detection systems (which, based on my experience, are flawed) talks about “the rare cases in which we make mistakes”. Facebook’s fundamental approach is a mistake, and it’s a mistake that can potentially blight everything it does.
Many people have abandoned Facebook this year because of its high-handed approach to privacy. Right now, Facebook still feels a bit too valuable to me to leave: it’s a great way of keeping in touch with friends I might easily neglect otherwise. But I’m going to find it difficult to trust for anything more complex than sharing status messages, and if I could persuade all my friends to move to Twitter instead, there’d be no turning back.
Had your own Facebook security drama? Tell us what happened and how you dealt with it in the comments.