In the wake of Facebook's breach of (more than) 50 million accounts, we're starting to get some explanations, and they are hair-raising. No group is perfect, but it's a chilling reminder of the consequences of missing things in security analyses and audits. One of the ways companies farm out this difficult labor is by offering bug bounties to white hat security researchers who point out vulnerabilities to them. Facebook's current troubles reminded Twitter user @codepaintsleep of their friend's interaction with that program.
♎@codepaintsleepYou know how some "forgot your password" links just click to log you right in? In December 2016, that applied for all links sent to a specific person from Facebook. A friend of mine saw it via forwarded link, I confirmed it, he reported it. They didn't even give him a bug bounty. twitter.com/me_irl/status/…12:09 PM - 29 Sep 2018the government man @me_irllmao. apparently the implementation of Facebook's "view as" feature (which lets you view your own profile as another user of your choice would see it, with privacy restrictions applied) involved loading that other user's private access token into your session??? https://t.co/9UJisodNkv
In December 2016, Facebook would send an automatic login email to people in certain situations. If that email got forwarded to anybody else, they would be able to click that link and receive full access to your Facebook account. A rare situation, perhaps, but a critical breach of someone's privacy if it ever did happen. @codepaintsleep's friend absolutely did the right thing by reporting the vulnerability, and they didn't even do it for the bounty at first.
However, I don't think the most cynical Facebook critic would have predicted Facebook's reason for not awarding a bounty—they said granting someone else access to your account via forwarding an email intended for yourself was "intended functionality." It was functionality so intended that Facebook patched it out and closed the vulnerability within 20 minutes of a good samaritan reporting it.
Obviously, this was just an excuse not to pay, and maybe it doesn't need to be anything more than a multi-billion dollar company being a skinflint. But not paying your bug bounties, especially for something like this, defeats the purpose of the program.
While Facebook is apologizing again and again for controversies, saying they've "learned a lot" from the consequences of their mistakes, always keep in mind that their business model is disregarding your privacy and that is their only intended functionality.
Top comments (35)
Facebook is really annoying. Someone should invent a social media with privacy into consideration. Not little nit-wit Facebook privacy.
Or maybe delete all social medias. And live on messengers instead? IDK.
I think the opposite would be better for society, a social media site that functions as a journal and posts go public after 10 years or so. The problem with Facebook is that it erodes privacy and monetizes people's attention while running advertising that is designed to alter people's behavior, and that it fundamentally alters the incentives of networking to benefit itself, amd that it essentially locks away people's thoughts forever after they die because it replaces journals or correspondence. Something that doesn't do any of those things would be great, and I reject the idea that sites like Facebook or Twitter can't exist without VC and ads. Maybe they wouldn't make all the money in the world as they try to now, but that's not a reason to make the world worse.
I'm sure it's possible to attract enough (no-strings-attached) funding for development, but there are two real problems:
1) How to make the platform 10x more addictive so people are actually on it instead of facebook
2) Operational costs. It could be distributed if people still used good christian desktop PCs, but with most of the population being on their low-battery phones and expensive mobile connections? :(
(I don't usually phrase comments this way, but I really just have such disparate thoughts on this. Sorry it's a little weird.)
1a) Much like the goal of outrunning a bear with a partner is not outrunning the bear, it's outrunning the partner, the goal of another social network is not (or should not) be to surpass Facebook. It is to become sustainable in proportion to their funds.
1b) I prefer not to intentionally design things to be addictive. That's abusive of people's trust.
2) We never talk about Facebook or Twitter abandoning targeted advertising, and I get why. They're so entrenched in those business models. However, if they were the ones to adopt more humane funding models, then they would still be the top dog in their corner of social media. Moreover, if the argument is that they would have to shut down if they don't sell people's data to advertisers--that ordinary users would not crowdsource money to keep it afloat--then, by their otherwise pseudo-capitalistic logic, doesn't that mean their users don't want them around enough and that they should go out of business? I don't think they would have to go out of business; they just wouldn't be able to generate as much revenue and would have to cut back staff/C-suite pay down to what they should have been in the first place, which is not a service problem. We could force the issue by banning targeted advertising, but I don't think that's likely to happen because of their incredible government lobbying.
Facebook is a public company. The goal of a public company is to maximise profit. There's no way they can leave this business model and not get sued by investors. They could change the business model by going private but then Facebook would need to buy back its stock shares, which is highly unlikely.
Musk wanted to take Tesla private last month, it would have cost 71 billion dollars at the time. Facebook is worth 474 billion dollars :-D
Probably, but I think that the more privacy issues they have, the more likely they are going to regulate it.
1a) Social networks have incredibly strong network effects. Unless they are intentionally niche platforms and not general purpose communication tools, it's either all or nothing.
1b) If a private company could have a product that's addictive enough to get a market share, they could then go on to affect great positive change. It's possible to sugar coat our words and say things like "engaging", but at the end of the day we need to acknowledge that everything currently in use is winning because it is ridiculously addictive, and isn't just a "frictionless tool that allows us to fulfil our needs and then gets out of the way".
2) I am strongly opposed to any sort of government or regulation, practically and morally, I firmly believe that it is always infinitely harmful.
So, how do you protect users from a company worth half a trillion dollars that has no intention to put their users at the center?
"Just competing" is not enough. It's not impossible obviously, it might happen in the grand scheme of things that Facebook "fails" but companies have never been this rooted in the history of capitalism.
There have been companies before Google, Facebook, Amazon and so on that were worth more, but as far as I know there no companies with so much information about their "clients" have ever existed. Standard Oil was worth a trillion dollars at the beginning of the 20th century, but they definitely didn't know what Paul from Connecticut did during his work day :D And Standard Oil was broken up because of... monopoly.
You can't be totally against any sort of governement intervention, or regulation. Eventually we would have only one film studio (Disney?), one internet provider, one tech company, one this and one that...
As you say, and I agree, the straightforward way to end Facebook supremacy is to create a valid alternative not to destroy it with regulations but regulations are not there for Facebook, they are there to limit companies bad behaviors, which they still pursue even with regulation (like the fact that most of the tech companies pay little taxes by gaming the system, which I find more appalling than tracking their users in a way)
It is not true that a public corporation's purpose is solely to make money. I'm on mobile right now, so I direct you to the links on the "shareholder value myth" in the RE:Open Source Has Not Failed article on my account. Investors do not own corporations, and thry cannot sue a corporation for not solely making decisions that maximize profits or shareholder value.
Thanks for the suggestions! I watched Lynn Stout's two short explanations on the "shareholder value myth" and loved them :-) When she talks about the life expectancy of publicly listed companies I started thinking of all this startups that are thrown in stock exchange, like IPOing is the only way to go, but I guess they do that also because they took too much money from VCs in the first place. If you click around TechCrunch you see insane amount of money thrown at startups.
She makes a really good point, but it doesn't mean that everyone believes that. She's even challenged on this in the second video. "A system that's structurally designed" is how she calls it. I believed the myth as well and I don't own stocks :-) I'm quite sure most capitalists believe this myth too. The Starbucks guy confirms that indirectly. He talks about going into meeting talking about customers and people, and I'm sure that Facebook is the same, they truly think they are doing their best for their users and their mission, is this disconnect that makes them dangerous. After all, if you don't believe it truly you just go with the flow and end up being ineffective.
Going back to Facebook: Zuckerberg has 60% voting rights so I guess it's mostly up to him to decide in which direction the company goes. Which doesn't really make me think it's going to go in another direction for a while.
Honestly, I don't know of any monopolies that formed in spite, and not directly because, of government regulations. Sure, they occasionally plunder a big company to the applause of the population, but it's the regulation that prevents new players from entering the market.
The reason we like to complain about apparently or truly monopolous service providers is because their services are clearly of very poor quality, with ways of improving them obvious to most of us. Usually this also comes in combination with being overpriced.
So, surely such a terrible service is easy to challenge even without infrastructure and economy of scale? Not so fast, because of certification, regulation, and infrastructure planning, all of which are affordable to comply with/lobby for the big company, but prohibitive in cost and complexity to the new player.
So, there's always been churn in market leaders, and regulation only slows it down. What about the internet though? It may seem like the exponential network effects of the web may forever cement the lucky few. Well, the unregulated internet, combined with open source knowledge and scalable (to the low end as well) public cloud services means it's cheaper and easier than ever to get your idea online, where the established company has far less governmental means to interfere with you. That is, until something like GDPR comes along and makes the little guy easy pickings for a government foray.
@rhymes can you be more specific as to what the users need to be protected from? I don't see how these companies are agressing against anyone (violating anyone's rights), regardless of how much I disagree with their actions and policies.
I wouldn't call their software malicious, because it doesn't try to evade permission systems and AFAIK has not been proven to spy on anyone.
Could it be considered fraud? Also not really, since they don't make any false promises to the users.
No objection to making them fail as a result of educating users though, that seems like an unequivocally moral thing to do.
Their privacy needs to be protected. Zuckerberg famously said (though he changed stance on that) he didn't believe much in online privacy. What instead I find more telling, and it's at the heart of FB, is that the genius of their business model is convincing people to volunteer so much information about them for free. Which is fine, there's nothing illegal about it. The issue though is what you do with their data and how data is then managed. Yes, exporting data from FB in a zip file is more or less useless, but I strongly believe in the right of an individual for oblivion, that's the part I like more about GDPR :)
Obviously nothing will change if people don't learn how to use the web better, but that's another story.
Failing to police hate speech qualify as malicious in my opinion: theguardian.com/world/2018/apr/03/...
Well, it depends on the definition of spying. Can following and gathering user behavior on third party websites be counted of spying?
I'm not saying they are doing illegal things, I'm saying I don't like what they do.
Exporting data from FB in a zip file is a godsend for moving to another network, I just wish it included more. I do understand that legally requiring this from every site is a huge burden though, so I wish it was voluntary.
I totally don't. If you want to limit someone's rights regarding their own knowledge/data, you must enter into a binding contract with them prior to disclosing the information. This is how eg NDAs work. If you gladly provided the information yourself without being promised anything of the sort, you don't have any rights to it.
I do think it's moving in that direction, and not in the opposite. It just doesn't always seem like it because of new users. But once there is worldwide coverage, that should stop.
I was talking about malicious software in the usual sense, not anything like a malicious community or malicious platform.
I don't think Facebook can possibly be accused of too little censorship, most certainly on the contrary - censorship is their biggest sin.
This "following" requires the consent of your browser (representing your person) and the consent of the owners of the "third party websites" (which might not be informed, but it is their responsibility to consider what they deploy on their site).
I don't think Facebook can be demonized when you allow your browser to actively contact FB servers when encountering "third party" sites which instruct your browser to contact FB servers.
Neither do I, but "protecting" sounds like legal action, whereas the only moral recourse I see is education.
In theory sure, but for the regular user is mostly useless, if not to rejoice at old memories. What are you going to do? Upload your Facebook zip to Twitter? Maybe with something like Tim Berners-Lee's new initiative Solid true portability will be achieved, but still, we're talking about portability between different social networks. My list of Facebook likes is useful only in the context of Facebook.
Well, we agree to disagree :-)
The thing is they censor whatever they want to censor, but again, it's a global private company and speech laws are different everywhere. Another issue here is abuse, which is the same thing Twitter users complain about.
You can't consent to something you don't know about. You realize that users aren't tech savvy like us, right? If I read your sentence up there to my non techie friends they will look at me like I'm from Mars. Yes, we all consent to the terms of condition without reading them and that's bad, but that doesn't mean the fact they put everything they want in the TOS is a good thing.
I think we need both. Look at food safety, would you prefer to live in a society where NO food safety laws existed and trust companies to have your best interest in mind and people to get informed about every single item of food they ingest before doing that? I definitely wouldn't, so I'm okay with the governements regulating what we eat. Are all regulations perfect? Not in the slightest, but most are better than nothing
Yeah, I'm totally pro-Solid. For years I've been inventing a Solid most days, sometimes a couple on a slow day. It's a very pragmatic approach to Web 3.0, without trying to shove a blockchain where it don't belong.
In the meantime, our "savior" social network can accept migrations from FB using these zips, using some data and keeping the rest around until it knows what to do with it. Can totally migrate to Solid or an alternative when it's available, and save on storage.
As often is the case, we can't really do that, can we? If we go along with the opinions of one of us, these companies will be forced to delete data they never promised to delete at gunpoint.
And if we go along with the opinions of the other, this data would be totally legal to keep, meaning the "right to oblivion" is being grossly violated.
In either case, one of us sees a crime (not a mere unpleasantry) being committed.
"Oh no, I used a program without knowing the consequences. Someone please regulate something!" (No. You literally did this to yourself, the third party site owner didn't even record your actions and then donate them to Facebook (which in most situations would be totally legal), you did it.)
Definitely. A stack of food producer + certification lab + shop is plenty for me. All I ever got from the government is rusty water, late disclosure of contaminations and infections "to not cause panic" and the legal recognition of ridiculous labels like "non-GMO" and "Organic" that allow selling objectively more dangerous foodstuffs at a higher markup. (More of that nice lobbying by entrenched companies.)
I don't see it as a crime, I just hope people had a right to oblivion. Especially in a contest like Solid where you own your data :-)
Well, laws and rules also exist to protect people from their own bad judgement, it won't be the first time. Otherwise you wouldn't need moderation on social networks, because people are always the best version of themselves in any context, are they :D ?
Tap water here in Milan is fine.
I don't know where you live on the planet but I'm glad in Europe we have stricter food laws then in the US for example. Don't tell me you've never heard of companies trying to sell severely expired or shit food to their customers. Your faith in the same companies that lobby for that ridicoulous "organic" label is weird to me.
Again, the regulations are not perfect but no regulations definitely wouldn't improve the quality of your food.
Then we are using different definitions of "a right".
When I say "a right" I mean something we all guarantee to each other, a fundamental invariant, something violating which would threaten the fabric of our society so much that we often come to the defense of the rights of third parties without immediate self-interest at stake. Most fundamentally for me that is property rights, since most if not all other rights such as self-defense, freedom of speech, etc, can be derived from property rights.
Yeah, we should be abolishing those, not piling more on.
Less costly but insufficient/irrelevant regulations will both lower operational costs for existing companies, and allow more new companies to enter the market.
This provides me with more variety to choose from, so that I can benefit from the highest quality (in my own opinion) and reward the companies providing it to me.
This is exactly what I mean when I say that IT regulations such as GDPR reinforce the position of gigantic entrenched companies like Facebook, which are essentially integrated with the government at this point, and snuff out any potential competition to them. Also a link lol.
I know what a right is, I'm not talking about basic or fundamental human rights or rights guaranteed by countries's constitutions. I'm just using the common name for that concept: Right to be forgotten. It shouldn't be called like that, but I didn't invent it.
Not sure where you got that quote from :D
As I said, I don't think the system is perfect, but I think totally zero regulations is not the way to go. Less regulations or better regulations is fine by me.
Gotcha. Can just never be sure, with demands for new real rights like "the right to have your demographic be represented in AAA media" and "the right to free healthcare" popping up almost every day.
Don't do dis. That's how you end up with criminalized prostitution, people smoking weed in their home incarcerated, and sweatshops closing down further reducing people's options to not starve.
We'll burn that bridge when we get to it. As long as we acknowledge the existing problem.
1a) I agree network effects are a consideration, but they are not the only consideration. It's definitely not all or nothing. Look at reddit, which organizes people into many fiefdoms each with their own network. Facebook's choice to be a global "community" 🤢 has proven itself resistant to moderation, but it's not the only viable model. I mean, look at how MySpace pivoting to musicians.
1b) If addictive tendencies are implicated by an app, then that's usually something to mitigate. The Time Well Spent group talks a lot about this and I'm pretty sure that kind of sentiment is behind all the app usagr tracking in new iPhones.
2) This kind of thinking descends from the idea of "freedom of contract", which was specifically created to justify actually, verifiably corrupt corporations and trusts manipulating markets and public opinion to suit laws to their own purpose. The reason they had to create a separate ideology for it is because regulation was working and they had to break up companies like Standard Oil. I suggest reading about the history of that phrase, and "We the Corporations" is a great book on that.
To be fair, Facebook operational costs must be astronomical. One of the few reasons to take VC money is to operate servers for billions of users. But yeah, there has to be an alternative path.
Maybe there should be a distributed platform. But keeping both privacy and distributed will be a big challenge, especially with photo's and videos..
Maybe something like Mastodon ?
Mastodon? Already has 2 Million + users, federated and is libre software!
Forwarding a 'log me in' help link does seem like authorizing the recipient to log in to your account 🙄 the security step lies in receiving the link itself.
Preventing users from taking actions that hurt themselves is also a part of security. If you can't think of a reasonable situation wherein a user would want to forward an automatic login, then why give them the option to shoot themselves in the foot and then blame them for firing?
They aren't giving them that option. That is out of Facebook's scope. They sent a password recovery e-mail. If you received it and use your e-mail client to forward it to someone else and they get into your account, hey that's on you buddy.
>They aren't giving them that option.
>If you [do that option], hey that's on you buddy.
That's a contradictory, unreasonably user-hostile perspective.
Probably true since I never even heard of it. XD
A friend of mine reported a way to see the friends list of people that have hidden their friends list and facebook claimed that this wasn't a bug (but still fixed it a few months later) and did not give him any bounty either.
Tim Berners-Lee just announced a project to empower people with their own data: medium.com/@timberners_lee/one-sma...
The home page shows the total number of hearts, unicorns, amd bookmarks.
Very much related:
Clicking a Facebook link logs me into another person's account
Peter Kim Frank
My reply from Facebook, for what it's worth:
that reminds me. few days ago we were revisiting some old bugs in our project and one of them was "looking at a picture logs me in as administrator"