loading...

Facebook's plain password storage - how was this possible?

dancsee89 profile image Daniel Molnar ・1 min read

"Facebook admits it stored 'hundreds of millions' of account passwords in plaintext" - says the article on Techcrunch. But how could be this possible, when even a junior developer knows that you have to encrypt the passwords in your database?

I have two ideas, but maybe there could be many more possible cases.

1) Facebook stored the passwords encrypted, but used an algorithm that can be decrypted.

2) When a user clicked on login (or possibly during the registration), before checking the password with the database, they sent it to an other service in plain, that stored it.

What do you think? This issue is too huge to be a simple mistake and must have happened for a reason.

Posted on by:

dancsee89 profile

Daniel Molnar

@dancsee89

Frontend dev, with full stack ambitions

Discussion

markdown guide
 

According to the discussion on HN they were logging the full auth request, password included

 

Some rumors also state that these data were "queryable" by many Facebook employees. This sounds literally absurd.

 

Yeah, it was "queryable" because the data leaked in the logs and usually logs are accessible through some centralized tool like Splunk probably.

And I bet there's no way to know if any of those employees accessed any of the users accounts using those passwords :(

I hope there will be a day when the US government will advance regulation for tech companies to really protect user's privacy but I'm not optimistic hehe

 

Almost no one does masking or protecting of their log files data (but they should). Another thing no one does is escape their logging data. So it’s very easy to say pass Linux commands to a website via a form that you know are going to be logged, and by logging that data the server can inadvertently trigger executable remote code...which pretty much means they are pwned.