Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug (theverge.com)

Posted by msmash on from the oops dept.

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.

50 comments

  1. common sense by Anonymous Coward · · Score: 1

    Without even checking, it seems obvious that 362-65 isn't FBOOK... there's no doubles.

    1. Re:common sense by Anonymous Coward · · Score: 0

      Without even checking, it seems obvious that 362-65 isn't FBOOK... there's no doubles.

      32665? Someone dyslexic maybe...

    2. Re:common sense by Anonymous Coward · · Score: 0

      FOB-OK?

      Sound it out and maybe it's supposed to represent "faux book"?
      Fake book. Sound plausible.

  2. one of their employee was the "bug" by Anonymous Coward · · Score: 0

    .....

  3. No. No it is not. by Anonymous Coward · · Score: 5, Interesting

    ... which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone.

    No. No it is not.

    Some may be stupid enough to believe that, but not I.

    1. Re:No. No it is not. by ToTheStars · · Score: 4, Insightful

      Shame on whoever modded this down -- "2FA" over SMS is empirically proven insecure, by e.g. social engineering attack on the cell phone company to redirect text messages to an attacker's phone.

    2. Re:No. No it is not. by Anonymous Coward · · Score: 1

      Whoever did it can see the IP address and has drunk the kool aid, and is working to suppress free discussion.

      It is about harvesting your phone numbers, not about your account security. That is why it is insecure. It has nothing to do with security.

      With your phone number your location is known and your movements tracked.

      Me, I have no cellphone, never will.

    3. Re: No. No it is not. by Zero__Kelvin · · Score: 1

      Yes, and door locks are useless and inherently insecure because it has been proven that keys can be stolen! Yes, you are a fucking idiot.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re:No. No it is not. by Anonymous Coward · · Score: 1

      We're trying to stop script kiddies and password list leaks, not targeted attacks. There is no such thing as secure, just a sliding scale, and SMS based 2FA is none the less better than password logins alone.

    5. Re: No. No it is not. by Khyber · · Score: 1

      "Yes, and door locks are useless and inherently insecure because it has been proven that keys can be stolen! Yes, you are a fucking idiot."

      No, you're the idiot in this case, boss. Your analogy is flawed, the OP is more correct. 2FA can be 'picked' by 'tricking' the phone company into thinking a legit user "the key" is requesting a transfer.

      Thus doors and locks are inherently secure because they can be picked, keys be damned.

      I say that as I hold 9 different acrylic-body locks, made specifically for the purposes of learning how to pick locks.

      Protip: Anyone with a small flathead screwdriver bent 90 degrees at the shaft and a thin rigid piece of metal with a tiny curve at the end can rape your typical door lock/deadbolt in about 3 seconds, just raking it. Invest in something better than a typical key design. No, barrel keys are not an acceptable replacement, those only take about 5 seconds.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    6. Re: No. No it is not. by Zero__Kelvin · · Score: 1

      You are one fucking stupid motherfucker.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re: No. No it is not. by Anonymous Coward · · Score: 0

      You're missing the point. Giving facebook your mobile phone number is a really, really bad idea for a myriad of reasons that have nothing to do with your website account security.

      For these reasons, password only logins are more secure.

    8. Re: No. No it is not. by Anonymous Coward · · Score: 1

      Picking a lock requires geographic proximity: a thief has to go to your door.

      Hacking SMS to steal 2FA creds can be done from anywhere with internet access.

    9. Re: No. No it is not. by Zero__Kelvin · · Score: 1

      No. That would be a completely different point which the OP absolutely did not make it all.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    10. Re: No. No it is not. by Khyber · · Score: 1

      No, you are for failing at analogies. Notice how all you can say is an insult instead of having an actual rebuttal.

      Try again when you can do something higher than kindergarten-level replies.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    11. Re: No. No it is not. by Anonymous Coward · · Score: 0

      So naturally, you don't use locks on your house or car, right? Just like you wouldn't use 2FA over SMS, and have come up with a much better solution that you'd like to share with everyone.

      Protip: TOTP and HOTP are useless because attackers can steal your phone or trick you into giving away the shared secret key, in the same way they can trick phone companies to receive your SMSs.

  4. Dear Facebook users by 93+Escort+Wagon · · Score: 5, Insightful

    We are very sorry we prematurely started sending you Facebook advertisements using the phone number you provided for 2-step verification. Our intention was to not do so until we had finished our latest marketing plan and updated the wording of our terms of service.

    Please accept our apologies. We hope you continue to enjoy Facebook and provide us with what little of your valuable personal information we have not already collected.

    - Your Facebook Team

    --
    #DeleteChrome
    1. Re:Dear Facebook users by ma1wrbu5tr · · Score: 1

      This! And this again. If you're complaining and didn't read the 21 pages of legalese that we call a Terms of Service, then you need a better lawyer.

      --
      Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
    2. Re:Dear Facebook users by ffkom · · Score: 4, Insightful

      I am sure this was as much a "bug" as it was just "bugs" in Googles street view car software to collect WLAN SSIDs, like the "bugs" in car manufacturers motor control software deafeating environmental emission tests.

    3. Re:Dear Facebook users by thegarbz · · Score: 1

      Except Occam's Razor is on the side of Facebook with this one. There is no reason the same system used for 2FA should be tied to a system that automatically posts messages on a wall.

      Google on the other hand was building a WiFi database long before they decided to collect the data on people. There was not only intent in their actions but it also made perfect sense from a business point of view.

      Comparing the two is silly.

    4. Re:Dear Facebook users by nospam007 · · Score: 1

      "There is no reason the same system used for 2FA should be tied to a system that automatically posts messages on a wall."

      Other than posting wall updates from an old 'stupid' fliphone, an SMS capable landline , ....

    5. Re:Dear Facebook users by thegarbz · · Score: 1

      From a single phone number that is also used for 2FA.

      Again: all this points to bug, architectural oversight, or plain stupidity from someone who wasn't thinking clearly. Quite different from the Google case.

    6. Re:Dear Facebook users by Anonymous Coward · · Score: 0

      There are two issues here:

      1. Posting the replies. I agree, there's no motivation for them to treat replies to 2FA as posts, so it makes sense that this part is most likely a bug/design flaw. (Basically, the bug is that they used one phone number for all their SMS features instead of using a different one for 2FA.)
      2. Sending the notices to people who only opted into 2FA, not to SMS notices. *That* could be a bug, or it could be marketing trying to stretch re-engagement past what people actually approved.

  5. Not a bug by Anonymous Coward · · Score: 2, Insightful

    I am at a loss as to how this could be a bug. We almost all here write code, making a computer do anything requires effort, concentration and time.

    This was done on purpose. To what end I do not know but the idea that through some mystery code all this happened is just not logical, it makes much more sense that it was crafted to perform the actions it performed.

    At some point in the code during the authentication process it had to capture the response, that response then had to be applied to a users 'wall' which again is not an easy task and takes time, concentration and effort to make it perform this action.

    I call BS, facebook did this on purpose, why is unknown, but the amount of effort to create this situation goes beyond a bug and into the realm of the deliberate.

    1. Re:Not a bug by Anonymous Coward · · Score: 0

      This was done on purpose. To what end I do not know but the idea that through some mystery code all this happened is just not logical, it makes much more sense that it was crafted to perform the actions it performed.

      At some point in the code during the authentication process it had to capture the response, that response then had to be applied to a users 'wall' which again is not an easy task and takes time, concentration and effort to make it perform this action.

      Or it's just a misprogrammed management GUI...

      You're seriously going to tell me that there's not some windows admin running their server clusters? Perhaps one that misclicked during a config change because the SMS relay for standard notifications was taken down for maintenance / replacement and they needed to bring up another one during the interm? Or maybe they were just migrating servers?

      Even for facebook: "Never attribute to malice that which is adequately explained by stupidity."

    2. Re:Not a bug by Anonymous Coward · · Score: 0

      I actually did not think about that.

      I am a node.js developer so I'm used to writing the server not utilizing a GUI.

      It generally is not much more than a dozen or so lines of rather simple javascript.

      What kind of maniac uses windows for a web server? It is entirely unsuitable to the task for many well known reasons.

  6. *hugs* by Anonymous Coward · · Score: 1

    Just here passing out the *hugs*!

    1. Re:*hugs* by Anonymous Coward · · Score: 3, Funny

      You have just violated the FreeBSD Code of Conduct for harassment. Specifically:

      Physical contact and simulated physical contact (e.g., textual descriptions like "*hug*" or "*backrub*") without consent or after a request to stop.

    2. Re:*hugs* by TigerPlish · · Score: 1

      Is that you Pinkie Pie? Is this me?

      --
      The "Civilized World" jumped the shark ca. 1973.
    3. Re:*hugs* by Anonymous Coward · · Score: 0

      What the fuck was that!

      Comments that reinforce systemic oppression related to...

      So expressing a thought that an SJW takes issue with is verboten? What a joke! How long has this being going on?!

    4. Re:*hugs* by Anonymous Coward · · Score: 0

      I dunno, HR is run by women and HR is the one firing anyone for thought crimes. Across time their tyrany and double think has entrenched and become normalized. Man bad, touch bad, women good, women best at everything...blah blah blah.

    5. Re:*hugs* by DRJlaw · · Score: 1

      But how do you know there wasn't consent?

      *dopeslap*

  7. Yeah, let's trust Facebook by Anonymous Coward · · Score: 0

    A bug? or someone who doesn't know what they are doing? Facebook is not a site I would choose to share much personal information with.

  8. Loss of Face by Mister+Liberty · · Score: 1

    book.

  9. it is NOT a secure method by greggman · · Score: 1

    as pointed out by numerous previous slashdot linked articles it's very easy to transfer phone numbers without the original owners permission.

    1. Re: it is NOT a secure method by Zero__Kelvin · · Score: 1

      ... and yet you would need to know the phone number associated with the account and jump through numerous hoops, meaning it is not impossible to bypass in every situation, but stops attacks in most cases. Get back to us when you can pass a high school class on computer security.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  10. No, Facebook *claims* it was a bug... by ToTheStars · · Score: 1

    It might have been a test -- "how far can we turn up the heat before the frogs jump out?" This time, they found the answer was 'too hot', but that's still good data for them.

    1. Re:No, Facebook *claims* it was a bug... by Krishnoid · · Score: 1

      We're all slowly boiling -- it's more a question of how fast you can turn up the heat. Maybe we should start explicitly distinguishing between sarcasm and prediction in our dystopian posts so it's easier to find when we've crossed various lines. Either that, or we need to condition our sense of privacy to be more warm-blooded than cold-blooded, per your analogy.

    2. Re:No, Facebook *claims* it was a bug... by Anonymous Coward · · Score: 1

      This begs for a website to graphically show the Facebook temperature. It would feature a frog in a pot of water and a timeline showing various Facebook privacy SNAFUs. The timeline would default to now, but you could slide the frog back on the line to previous SNAFUs to see the graphic change to various different indications of frog discomfort. Someone needs to get to work.

  11. We may not have AI yet... by RhettLivingston · · Score: 2

    but the computer is apparently perfectly capable of being the fall guy.

  12. PR bullshit served with sprinkles by msmash by Anonymous Coward · · Score: 0

    I hate msmash. Not only does he serve up MS propaganda but now Facebook too? I hope slashdot is being paid for this shit.

    > Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system,

    "Clarified" implies they are being honest and clear about something the public misunderstood,

    > admitting that the messages were indeed caused by a bug.

    Putrid shilling by msmash here: "Indeed caused by a bug".

    To quote another poster "I am at a loss as to how this could be a bug. We almost all here write code, making a computer do anything requires effort, concentration and time. This was done on purpose."

    So fuck you msmash.

  13. Deleting Facebook is the ONLY solution by Anonymous Coward · · Score: 0

    The entire business model of Facebook is to spy on you. There is no way around it; users have to put a hard, perpetual boycott on Facebook. Drive it out of business form lack of demand.

  14. Is that bug called "greed"? by Anonymous Coward · · Score: 0

    You think we're idiots, don't you.

  15. Private information by larsholm · · Score: 1

    It's not that some facebook system accidentally send messages that worries me. It's the fact that a random facebook system had access to a phone number given in the context of setting up 2FA. That tells me that facebook does not internally treat 2FA numbers as private and secure information.

  16. What's that old chestnut? by QuietLagoon · · Score: 2

    It is easier to ask for forgiveness afterward than to ask for permission beforehand. A bug? Yeah, I'll buy that, and the Brooklyn Bridge. To go, please.

  17. So what? by Anonymous Coward · · Score: 0

    Who cares if it was a bug. Its still illegal to ignore STOP messages and they should still be fined the maximum amount.

  18. Bug? by Agripa · · Score: 1

    The bug was they got caught and someone fussed about it.