Facebook Fixes Bug That Allowed Users To Set Other Users' Passwords

An anonymous reader writes: Facebook has paid $15,000 (€13,600) to an independent security researcher who discovered a simple way of resetting passwords for other people's Facebook accounts, setting a new passphrase and effectively taking over profiles.

The problem was in the fact that Facebook also runs a Beta platform on beta.facebook.com. This platform's "reset password" feature did not include brute-force protection and allowed anyone to guess the six-digit verification code sent to someone's phone when resetting the password. This issue also raises another question: How many unsafe features are on Facebook's beta platform that have not been patched simultaneously with the main platform?

Interesting regression

Normally, you don't expect features that do exist in production to not exist in a dev environment. Unless they were planning on removing rate limiting from production...

Re:Interesting regression

beta.facebook.com is not a dev environment. At best, it's a test environment.

It's not a bug...it's a feature

[evolutionary]

It's not like Facebook was really private anyway...People can mark/identify others without the account owner's consent. So this is no surprise to me. Security/privacy is not exactly a priority at facebook. (the opposite actually..)

Re:It's not a bug...it's a feature

People can mark/identify others without the account owner's consent.

Any time I'm tagged anywhere, I get notified and can force remove it if I choose.
But it's not like you or anyone else can prevent someone from simply adding text to a picture with their name on it. But let's blame facebook for that too, because reasons.

Security/privacy is not exactly a priority at facebook

In relation to this article, this bug only affects people who give FB their phone number and set it to their 'account recovery' preference. I've never done either, mine works via my email, and the "code" they send is pretty damn long and includes letters/number/etc.

Re:It's not a bug...it's a feature

Spoken as someone who has never worked at or with facebook, or spoken to any facebook employee, presumably?

Re:It's not a bug...it's a feature

[darkain]

"Security/privacy is not exactly a priority at facebook." [Citation Needed]

https://www.yubico.com/2013/10...

Re:It's not a bug...it's a feature

[dbIII]

In relation to this article, this bug only affects people who give FB their phone number

It actually creeps me out a bit that Facebook even ask.

beta?

You'd normally expect more features in beta, even if not stable. Weird to see less protection on the beta platform

Re:beta?

[OzPeter]

You'd normally expect more features in beta, even if not stable. Weird to see less protection on the beta platform

You never saw /. beta did you?

Re: beta?

It is still here in mobile view and it is shit

Better question: why running prod data in beta?

[xxxJonBoyxxx]

I could see having a per-account switch to "allow me to use my account in beta" (default = OFF) for developers who want to play with this stuff, but why would you want to expose your production customers to untested software like this?

>> Weird to see less protection on the beta platform

Not if you've ever seen teams refactor code in a large codebase. When that occurs, you often lose a lot of the "history" and "memory" of a branch, which often resurfaces bugs, edge cases take care of years ago and new vulnerabilities.

Re:Better question: why running prod data in beta?

[halivar]

I've seen it all the time. You go to rewrite a library or module because it's old and busted, it wasn't sufficiently documented, and you find "joe code" that has you scratching your head. "Why did they do this? This is literally the dumbest way to do this, ever." When your new module hits production, you soon realize why it was just so.

Re:Better question: why running prod data in beta?

Because production data is the only way to get production failures out of beta software. It's the best way to test, if you can get away with it.

The public nature of it is a little scary though.

Re:Better question: why running prod data in beta?

Unit tests! Without them, your ship is sunk.

If it ain't tested, it's broke.

Re:Better question: why running prod data in beta?

[KGIII]

> ... your production customers ...

There you go again. You seem confused as to who the customer is and, by extension, who gets the prioritized attention and care. (Hint: It's not the people who have 'user' accounts.)

Re:Better question: why running prod data in beta?

[xxxJonBoyxxx]

>> Unit tests!

I see your newfangled unit tests and raise you legacy code.

Re:Better question: why running prod data in beta?

[avandesande]

Yes that is pretty funny. They were giving their advertisers the opportunity to test that all the advertising and data mining was working.

Re:Better question: why running prod data in beta?

WHAT?!

No, you take anonymous, random data to construct profiles that use (and abuse) every feature that exists.
You know, like proper testing.

Anything that can be identifiable is scrubbed from the DB used for testing features.

Re:Better question: why running prod data in beta?

[Jason+Levine]

Testing? We have no time for testing! We have to ship the product out now because marketing told everyone that the release date was today. It seems to work well enough when we ran it that one time so it must be fine. Besides, you need to work on these five dozen other projects since we fired half the staff and kept the workload the same.

Re:Better question: why running prod data in beta?

"User" accounts are used to set up adverts, so this is a problem affecting customers of Facebook, not just products. It was thus worth spending a few quid to thank the spotter.

Re:Better question: why running prod data in beta?

I've never seen anyone trying to refactor without having automated tests in place. Must be a horrific experience.

Thank god we're all safe now

[WillAffleckUW]

And we can go back to using "1234" as our password.

Nobody will ever guess that.

Re:Thank god we're all safe now

[gurps_npc]

Almost 90% of people do not use that passcode.

What I don't understand is why so few people use 8068. It's a perfectly good passcode, but it's the least chosen one.

Re:Thank god we're all safe now

[WillAffleckUW]

Almost 90% of people do not use that passcode.

What I don't understand is why so few people use 8068. It's a perfectly good passcode, but it's the least chosen one.

I always use 8077. Better chipset.

Re:Thank god we're all safe now

I think you mean 8086.

Re:Thank god we're all safe now

http://datagenetics.com/blog/september32012/index.html

Password "rock paper scissors": Why not choose "9629"? After all: most people who switch from 1234 to the bottom of the list will choose either 8068 or 8093, so obviously: 9629 is the correct 4 digit pin to select!

"and you must have suspected I would know the powder's origin, so I can clearly not choose the wine in front of me!" https://www.youtube.com/watch?v=U_eZmEiyTo0

Wish I'd known about that.

The reset email never shows up in my inbox. I've been locked out of my facebook account for three years. I should have hacked my way back in when I had the chance.

Re:questions abound

Facebook is not about customer service. It's not Mickey Ds.

FB is largely a platform for people, namely Americans, to bolster their ego without doing any real work. You just post some tit pictures and let the "likes" roll in, and if puffs your ego up. FB is one of the worst things to ever happen to the American psyche. Everyone thinks they are a bad ass with talent, whereas reality is closer to "whiny bitch that no one cares about"

only $15k?

fucking cheapskates.

___

wtf is with capcha treating me like a nigerian prince trying to send webmail? captcha: zmnjwfm

also... another...

[wonkey_monkey]

This issue also raises

What did it do first to warrant the use of the world "also"?

another question

What was the first question?

Problem is password reset itself

[WaffleMonster]

Schemes for resetting passwords fundamentally lower the security of the system and almost always rely on insecure transports (Email and SMS).

At the very least users should be given the option of not allowing any password reset or recovery features to be used in conjunction with their account.

Rather than conceding to inevitability of forgotten passwords I would rather see sites warn users ahead of time what the consequences are including suggestion to write it down and store it in a safe place.

--
From origional descent devs
http://media.revivalprod.com/O...

Re:Problem is password reset itself

Schemes for hot linking to ZIP files fundamentally lower the security of the system and almost always rely on insecure transports (Email and SMS).

At the very least users should be given the option of not allowing any hot linking to ZIP files or recovery features to be used in conjunction with their account.

Rather than conceding to inevitability of hot linking to ZIP files I would rather see sites warn users ahead of time what the consequences are including suggestion to write it down and store it in a safe place.

Re:Problem is password reset itself

[castionsosa]

Password recovery is in itself, an art form.

One thing I've wondered about is the concept of password recovery providers. Not a central website, since it can get compromised, but different organizations, similar to how OpenID is set up.

When setting an account with some provider, one chooses a recovery provider or providers, and what methods will be used to get back the account. This way, if someone has their own dedicated VM or device that makes an OATH number, that can be used. Another provider sends an encrypted SMS message, and has an app that decrypts it for the user. Still another provider sends out a physical card via registered mail with a bunch of scratch-out blanks. Another provider has a database of recovery questions (similar to how PGP Server used to have a way to recover keys), and someone uses x out of y questions (where are the bodies buried) to get a valid recovery code.

This would provide a lot of flexibility, but still have solid security. For example, someone might have a basic E-mail account, and for them, just a "click here to get a recovery code" message is good enough. Other people might want a physical device, similar to a SecurID "calculator" that is offline and airgapped, requires a PIN to get a recovery code. Still other people just want to have a scratch-off card with passwords in one lock-box, and SMS messages on their phone for general use.

I've also wondered about a device similar to the SecurID fob, except with no battery (plug it into a USB port to power it, but it doesn't use the plug for data), it would keep sync with time via a 3G connection, but would function as an offline device (punch button, get recovery code.) This could be tossed in the desk drawer, safe, or other spots, for something to recover an account, should all else fail. If it used a standard TKIP protocol, it would be simple, and decently secure.

wow

[softnewsit]

15K? I would have paid more. That's total account compromise from what I can read. That deserves more, even if the entry point is from the beta platform.

Re:questions abound

Nearly all my friends have Facebook accounts. It's easy to chat with people. It's easy to view my chat logs (compare to the old AIM, where I couldn't view my chat logs everywhere, even though I'm sure they stored them for themselves). It's easy to share photos and news articles. It's incredibly easy to schedule events. The event feature is killer, probably my favorite aspect.

Re:questions abound

Fucking epic, you nailed it. It's like the trend now where everyone is an "engineer" even though they're just copypasting bits of Ruby and PHP around, let alone understanding actual solid coding practices and algorithm design.

And it's not just Facebook that bolsters the ego of these codemonkeys by calling them "engineers". Central and northern CA is littered with companies that continue this idiotic practice.

Problem with script kiddies running websites

[JoeyRox]

They don't know anything about programming and even less about security.

Re:Problem with script kiddies running websites

[avandesande]

Script kiddies wouldn't have chosen a professional language like PHP!

Re:questions abound

[OzPeter]

FB is largely a platform for people, namely Americans, to bolster their ego without doing any real work.

Except that world wide, North American FB usage is less than 20% of total FB usage.

Lol, a Facebook security problem??

[JustAnotherOldGuy]

A Facebook security problem? I can hardly believe that, seeing as how it's never happened before. *cough*

Finally paying, are they?

Instead of suing the guy for figuring it out, they're finally paying out their bug bounty?

Interesting, maybe i'll finally submit my findings.

Re:questions abound

Speaking as someone in my 30s who has been programming since I was 6, I use Facebook to banter with mostly non-techie friends who don't live close, find out random things about their lives, and share pictures of cats. It's a tool for casual socialisation online, not intellectual gentlesirs nor rebels with a cause.

Hmm...

[iTrawl]

So that's how I ended up in Oregon, checking my Facebook on a Windows machine... Good thing they didn't bruteforce my 2nd factor.

You are not the customer

[dbIII]

but why would you want to expose your production customers to untested software like this?

You are not the customer.
Advertisers are the customer.
You are the product.

At last!

This is the news I've been waiting for. I can finally create a facebook account.

$15,000 , really?

[xvan]

It's only me that thinks that it's a really low bounty for such a bug? I mean, relative to the black market price.

Re: questions abound

Not to be a dick, but you're right and it may be good. The egoism you're describing is described in research as "self affirmation." Studies are showing that FB is good at it and that it may be healthy for us to do.

IIRC, Jeff Hancock (currently at Stanford) has some articles on this idea.