Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug (theverge.com)

Posted by msmash on from the oops dept.

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.

8 of 50 comments (clear)

  1. No. No it is not. by Anonymous Coward · · Score: 5, Interesting

    ... which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone.

    No. No it is not.

    Some may be stupid enough to believe that, but not I.

    1. Re:No. No it is not. by ToTheStars · · Score: 4, Insightful

      Shame on whoever modded this down -- "2FA" over SMS is empirically proven insecure, by e.g. social engineering attack on the cell phone company to redirect text messages to an attacker's phone.

  2. Dear Facebook users by 93+Escort+Wagon · · Score: 5, Insightful

    We are very sorry we prematurely started sending you Facebook advertisements using the phone number you provided for 2-step verification. Our intention was to not do so until we had finished our latest marketing plan and updated the wording of our terms of service.

    Please accept our apologies. We hope you continue to enjoy Facebook and provide us with what little of your valuable personal information we have not already collected.

    - Your Facebook Team

    --
    #DeleteChrome
    1. Re:Dear Facebook users by ffkom · · Score: 4, Insightful

      I am sure this was as much a "bug" as it was just "bugs" in Googles street view car software to collect WLAN SSIDs, like the "bugs" in car manufacturers motor control software deafeating environmental emission tests.

  3. Not a bug by Anonymous Coward · · Score: 2, Insightful

    I am at a loss as to how this could be a bug. We almost all here write code, making a computer do anything requires effort, concentration and time.

    This was done on purpose. To what end I do not know but the idea that through some mystery code all this happened is just not logical, it makes much more sense that it was crafted to perform the actions it performed.

    At some point in the code during the authentication process it had to capture the response, that response then had to be applied to a users 'wall' which again is not an easy task and takes time, concentration and effort to make it perform this action.

    I call BS, facebook did this on purpose, why is unknown, but the amount of effort to create this situation goes beyond a bug and into the realm of the deliberate.

  4. Re:*hugs* by Anonymous Coward · · Score: 3, Funny

    You have just violated the FreeBSD Code of Conduct for harassment. Specifically:

    Physical contact and simulated physical contact (e.g., textual descriptions like "*hug*" or "*backrub*") without consent or after a request to stop.

  5. We may not have AI yet... by RhettLivingston · · Score: 2

    but the computer is apparently perfectly capable of being the fall guy.

  6. What's that old chestnut? by QuietLagoon · · Score: 2

    It is easier to ask for forgiveness afterward than to ask for permission beforehand. A bug? Yeah, I'll buy that, and the Brooklyn Bridge. To go, please.