Facebook will never be completely secure

Yesterday, Facebook announced that it found -- and fixed -- a stunning security breach that put 50 million people's accounts at risk. In the words of Facebook executives, the attack was "sophisticated" and its reach was "broad." And, more chillingly, we don't know who was behind it or what they intended to do with that account data.

"While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk," Facebook CEO Mark Zuckerberg said, "the reality is we need to continue developing new tools to prevent this from happening in the first place."

His sentiment is correct: Facebook needs to prevent these sorts of breaches before they happen. But is that even possible? Can Facebook pre-emptively stamp out every potentially disastrous vulnerability before it's discovered? Almost certainly not.

Facebook has come a long way since one person could actively manage it from a dorm room. Aaron Chiu, a software engineer for Facebook, noted on Quora that as of five years ago, core Facebook was made up of 62 million lines of code. A codebase that complex requires a great many stewards and the service has only grown more sophisticated since then. More moving parts means more things that could potentially go awry, but the service's growing complexity means it's highly unlikely the company will ever be able to completely secure its products. (When asked if the company felt otherwise, a Facebook spokesperson simply pointed at existing statements.)

It doesn't help that this breach -- one of, if not the, largest in the company's history -- came about through a seemingly unlikely confluence of flaws.

Guy Rosen, Facebook's vice president of product management, said on a call with reporters earlier today that the breach was the result of three bugs inadvertently working in tandem. The first allowed people using Facebook's View As feature, which lets you see what a particular friend would see if they looked at your profile, to access a video uploader that they shouldn't have been able to use. That uploader is the crux of bug number two: it created a single sign-on token meant for Facebook's mobile app, not the standard web version. The final bug was arguably most damning: the access token created by the video uploader was for the account being viewed, allowing the attacker (or attackers, we're not sure) to gain access to a stranger's profile and repeat the process for that person's friends.

That's a highly arcane discovery to make, and had any one of those features worked correctly, 90 million people wouldn't have to worry about what's happening with their personal data. If you zoom in on those individual issues, though, they seem relatively benign. Facebook missing a single huge flaw would've been one thing; this breach was made possible by three small ones failing together. These kinds of cascading, co-dependent failures can be difficult to account for, especially when you take into account how frequently Facebook seems to update the components of its service. That's fair enough: there are a lot of them, after all.

While it might be tempting to assume that a recent management shake-up that left Facebook without a Chief Security Officer didn't help, the company claims the opposite. Facebook said earlier this year that it has begun to embed security engineers and analysts into product engineering groups to help address new threats, and Rosen told journalists he thinks that move helped internal investigators "find and address" this issue faster.

Rosen also noted that Facebook is gearing up to increase the number of employees working on "safety and security" from about 10,000 to 20,000. Throwing eyes and brains at the problem is certainly a step in the right direction, though members of the security community insist that it'll take more than just new hires to ferret out flaws.

"It's not necessarily the number of eyes on a piece of software that matters, but more so the diversity of people probing it," Malwarebytes researcher Jérôme Segura told Engadget. "This means that internal code review is great but the benefits of having third-party researchers and companies scrutinize it as well is invaluable."

As this whole debacle has proven, a handful of tiny flaws working in ways no one expects is capable of doing plenty of damage. Thankfully, there are ways for Facebook to get better at addressing the low-hanging fruit: Segura said that code segmentation and compartmentalization, combined with regular internal and external audits, "can actually make the overall product more secure." Even so, Segura conceded that "complex bugs will always exist."

For now, all we can do is wait for answers. Facebook is confident that only 50 million users were directly affected by the vulnerability, but the company isn't yet sure how (or if) those accounts were "misused". And considering the scope of this breach and the continued involvement of the FBI, it'll be a while before we understand the full extent of what those attackers were after and whether they were ultimately successful. One thing seems clear, though: Facebook is a complex service that stores a lot of valuable, personal information, and it has a target painted on its back. These attacks aren't going to stop anytime soon, and Facebook won't be able to fend off all of them forever.



via Engadget RSS Feed https://ift.tt/2QhIWUC
RSS Feed

If New feed item from http://www.engadget.com/rss-full.xml, then send me


Unsubscribe from these notifications or sign in to manage your Email Applets.

IFTTT

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more