sdecoret - stock.adobe.com
Facebook’s failure to hide the passwords of hundreds of millions of users from employees has prompted fresh calls for a review of the company’s security policy and coding practices.
As many as 600 million passwords stored in plain text were accessible by up to 20,000 Facebook employees for up to seven years in some cases, security researcher Brian Krebs reported.
He said a Facebook source had told him about “security failures” that allowed developers create applications that logged and stored the passwords without encrypting them.
In a statement, Facebook said it had fixed the “glitch” that had led to the passwords being on its internal network in plain text. The social media firm also claims that an ongoing investigation has so far found no indication that employees have abused access to this data.
Facebook said the issue was discovered in January in a routine security review and that most of those affected were users of Facebook Lite designed for low connectivity conditions, but that the company would notify all those affected, including standard Facebook and Instagram users.
Although Facebook said it would enforce a password reset only if its investigation into the issue uncovered abuse of the login credentials, security industry representatives have advised Facebook users to take the opportunity to update passwords and policies to require two-factor authentication.
Facebook must address ‘tech debt’, says expert
This is the second time that Facebook has been found to have put users’ data at risk due to a flaw in its processes. In September 2018, the company reported a “security issue” with code related to the “View As” feature, exposing “almost 50 million accounts” to account takeover by attackers.
In an attempt to earn back users’ trust, Facebook CEO and co-founder Mark Zuckerberg recently announced plans to make Facebook more privacy focused, after the company’s reputation was shaken by the Cambridge Analytica data sharing scandal.
This latest revelation has put the spotlight on Facebook’s security policies and coding practices, prompting calls for the social media firm to take action.
“This is an example of how poor secure coding practices can cause security vulnerabilities to be created and not caught for an extended period. And when an application has the number of users as Facebook, this problem can become very large, very quickly,” said Matthew Gardiner, cyber security strategist at email security firm Mimecast.
“Given that there is never a legitimate technical or business reason for passwords to be transmitted or stored in plain text, and given that Facebook has a set of quite robust password security practices in place, the only rationale is that this problem was created through insecure coding practices some time in the past,” he said.
The best practice for avoiding this, said Gardiner, is to employ SecDevOps practices (that pull together development, operations and security teams) as an integral part of application development.
“Catching the vulnerability after the fact, but before malicious usage occurs, is good, but doing so at the time of development is much better,” said Gardiner.
While the details of the incident are still emerging, John Shier, senior security advisor at security firm Sophos, this is likely an accidental programming error that led to the logging of plain text credentials.
“That said, this should never have happened and Facebook needs to ensure that no user credentials or data were compromised as a result of this error,” he added.
Sam Curry, chief security officer at security firm Cybereason, said Facebook needs to update its security strategy in the light of its size and the data it holds.
“Everyone, including Facebook, has tech debt and security debt that piles up – but that’s not an excuse any longer. Facebook is starting to look like critical social infrastructure, where [its] responsibility is to the public.
John Shier, Sophos
“It’s past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can’t do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century, not the 20th century.”
Ilia Kolochenko, CEO of security firm High-Tech Bridge, said undocumented “features” are quite widespread in large technology companies. “Frequently, there is no malicious intent or negligence, but rather an internal ‘hack’ to better resolve some issues or conduct testing.
“The problem is that such shadow data and its usage are virtually uncontrollable, and even now it would be premature to conclude that the latest Facebook issue is fully remediated because numerous backups, including custom backups made by employees, may still exist in different and unknown locations.
“Such issues are very time-consuming to discover even with an external audit. Therefore, when dealing with large technology companies, be well prepared to understand that they know everything about you and internally may handle this data differently from what their policy or terms of services say.”
Take steps to strengthen passwords
In addition to highlighting poor coding practices, the issue has once again prompted calls for improved password practices until alternative authentication methods are widely available.
“This is also another reminder for people who are still reusing passwords or using weak passwords to change their Facebook password to something strong and unique and to turn on two-factor authentication,” said Sophos’s John Shier.
Emmanuel Schalit, CEO of password management and digital identity firm Dashlane, also advises Facebook users to update their passwords even though Facebook claims that the internal exposure of these passwords means that they were not compromised.
“The fact remains that they were not encrypted and exposed for years. Because the impact is still unknown, we would recommend changing your password on Facebook immediately.”
Users of online services, said Schalit, are not able to control the security architecture of the digital services that hold so much of their data, but they can take measures to ensure optimal password hygiene.
“This is the digital version of the ‘containment’ doctrine. One example is using a password manager with a password changer capability to generate and change passwords, ensuring proper and regular cyber hygiene.
“As demonstrated here, you never know when your account may have been exposed and your information vulnerable – regular and proper password hygiene is not just for breaches,” he said.
Stephen Cox, chief security architect of security firm SecureAuth, said continued reliance on passwords is not sustainable and fails consumers.
Stephen Cox, SecureAuth
“Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape,” he said.
“Not only are many organisations using poor hygiene when storing passwords, a large portion of these passwords are already widely available on the dark web due to previous massive breaches. The reality is that people reuse passwords across multiple websites and password leaks can have far-reaching consequences.
“With the trend of password leakage and the resulting credential misuse on the rise, organisations must evolve and adopt modern approaches to identity security, one that improves security posture, but takes care to keep the user experience simple.
“We need to move beyond the password, and basic two-factor authentication methods, to modern adaptive risk-based approaches that use real-time metadata and threat detection techniques to improve end-user trust. The goal should be rendering stolen credentials useless to an attacker.”
Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, said it is common practice to hash and salt passwords in databases. “This makes it difficult for criminals to crack an entire password database,” he said.
“Hashing masks the original password with different values, and salting ensures that even passwords which are the same are hashed differently. The fact that Facebook has failed to carry out these basic activities here is almost certain to be accidental rather than intentional.
“Despite clear negligence, it seems unlikely that GDPR [General Data Protection Regulation] will be applied here. Historically, the ICO has punished businesses which have suffered breaches because of poor password management. However, there is no indication in this instance that a breach has occurred.”
In this case, the Irish Data Protection Commission is the data protection authority concerned because Facebook’s European headquarters are in Dublin. “Facebook have been in contact and have informed us of this issue. We are currently seeking further information,” a spokesperson for the commission said in a statement.