Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 7

Facebook's Security Fail

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Hey everybody. How you doing today? Welcome to the show in this episode. We're going to talk about Facebook and absolutely horrible privacy and information security practices again. I can't even guys I can't even we are a hundred and some almost 200 episodes in the mornings with Mark. I have talked about Facebook too many times and I didn't want to talk about Facebook today, but I have to because there was a report that surfaced and that highlighted a practice Facebook is implemented all when you're signing up for new account and apparently has been in place for almost three years because we've had Facebook accounts since the beginning unfortunately and we've seen scandal after Scandal come out from Facebook.

What they were doing here is just ridiculous. I don't know how any anyone let this get buy for a privacy perspective from a security perspective. Let alone why people would actually tolerate this is a requirement to sign up for an account and I think it really shows the fact that people sign up for a feel like I don't necessarily have the choice Facebook is just got into a big there's too much going on the platform to ignore it.

So here's what happened source security researcher highlighted the fact that when you sign up for Facebook with a email address that they've never seen before they prompt you for your email password. What that sink in for a second there prompting you for your personal email password in an attempt to verify that it's your email account.

Not asking you to set up Facebook password literally asking you for your email password that is wrong just flat-out wrong. There's no wiggle room on that the requirement to verify your email totally get that most Services mailing list to being the most prominent among them have that requirement. You know, how you do that? You send somebody an email easy you sending individually customized expiring link to that email address ask them to click on it to bring it back to the service.

So you verify that they actually own and have access to that account you do not ask them for their password. Obviously, there's a major issue here. If you ask them for their password now, you have their password you can do anything you want with their email and for users what a massive breach of your privacy and security because almost every account you own will let you reset the password through your email account to take huge single point of failure for most of our operational security, but Facebook was actually asking you for this password and people Forgiving a great time to remark the fact that you should never give your password out to anybody ever under any circumstances end of sentence end of statement.

Never. When support says hey, we need your password don't know you don't reset it go through and then you can generate a new password never give them your password just Standard Security 101 never give anybody your password to anything ever done now. So Facebook was doing this and their biggest me a couple here was well, we know it was kind of bad practice, but we're sorry that we were scraping your email contacts without letting you know, that was an unintentional oversight given that we used to allow you the option of importing your contacts.

Yes, that's bad. Horrible absolutely should be importing contacts without people's permissions. You shouldn't be sprouting them to continue to import their contacts in any circumstances because we've all seen the Avalanche of new social media Network spam that generates from that but to ask them for their password. So obviously I'm freaking out about this from a security perspective, even though it's been going on for three years just because it's such an atrocious Lee wrong practice.

But let's take our evil hats on for a second or maybe not or you'll have that might not be fair. But why would you ever generate a feature like this in the first place? And I think the answer is in this contact slurping activity trying to suck in everybody's contact in order to get more people onto the platform of new users a better experience because they're connected offering connections to people that they know Will try to walk somebody through how to export the contacts out of their email account is actually a really pain in the but you got to figure out are they using something like Gmail? Are they using something custom? There's a whole bunch of complexities here that you need to figure out and to try to walk the people through the help documentation would be monstrous.

So, of course, it's easier just to say give me your password, but this leads me to my key takeaway point for everybody. I am so out of ranch mode in to advise smoke cuz I was trying to give you guys something practical here on mornings with Mark just because it's maybe the easier way to do something doesn't mean you should breach fundamental security protocols.

If something is fundamental is never ask people for their passwords is something you have to break so you to ask him for their passwords to build a feature. You're probably building the wrong feature. Right, you need to come out and give a trade-off and they look we can't implement this feature because it would break fundamental security at some point developers Engineers people who are Building Technology.

We need to put her foot down. We can't do this. This is going to open up way more exposure than it's worth. This is not a good practice is not something we want to encourage within our digital communities. That's my takeaway. I can't go on any longer with this because I will just continue to rant I'm sure you have comments.

I'm hoping they're all going to be with you. See. I hope your setup for fantastic day and great weekend, and I will see you on the next episode of the show where hopefully I will be calmer. Take care. Hey everybody. How you doing today? Welcome to the show in this episode.

We're going to talk about Facebook and absolutely horrible privacy and information security practices again. I can't even guys I can't even we are a hundred and some almost 200 episodes in the mornings with Mark. I have talked about Facebook too many times and I didn't want to talk about Facebook today, but I have to because there was a report that surfaced and that highlighted a practice Facebook is implemented all when you're signing up for new account and apparently has been in place for almost three years because we've had Facebook accounts since the beginning unfortunately and we've seen scandal after Scandal come out from Facebook.

What they were doing here is just ridiculous. I don't know how any anyone let this get buy for a privacy perspective from a security perspective. Let alone why people would actually tolerate this is a requirement to sign up for an account and I think it really shows the fact that people sign up for a feel like I don't necessarily have the choice Facebook is just got into a big there's too much going on the platform to ignore it.

So here's what happened source security researcher highlighted the fact that when you sign up for Facebook with a email address that they've never seen before they prompt you for your email password. What that sink in for a second there prompting you for your personal email password in an attempt to verify that it's your email account.

Not asking you to set up Facebook password literally asking you for your email password that is wrong just flat-out wrong. There's no wiggle room on that the requirement to verify your email totally get that most Services mailing list to being the most prominent among them have that requirement. You know, how you do that? You send somebody an email easy you sending individually customized expiring link to that email address ask them to click on it to bring it back to the service.

So you verify that they actually own and have access to that account you do not ask them for their password. Obviously, there's a major issue here. If you ask them for their password now, you have their password you can do anything you want with their email and for users what a massive breach of your privacy and security because almost every account you own will let you reset the password through your email account to take huge single point of failure for most of our operational security, but Facebook was actually asking you for this password and people Forgiving a great time to remark the fact that you should never give your password out to anybody ever under any circumstances end of sentence end of statement.

Never. When support says hey, we need your password don't know you don't reset it go through and then you can generate a new password never give them your password just Standard Security 101 never give anybody your password to anything ever done now. So Facebook was doing this and their biggest me a couple here was well, we know it was kind of bad practice, but we're sorry that we were scraping your email contacts without letting you know, that was an unintentional oversight given that we used to allow you the option of importing your contacts.

Yes, that's bad. Horrible absolutely should be importing contacts without people's permissions. You shouldn't be sprouting them to continue to import their contacts in any circumstances because we've all seen the Avalanche of new social media Network spam that generates from that but to ask them for their password. So obviously I'm freaking out about this from a security perspective, even though it's been going on for three years just because it's such an atrocious Lee wrong practice.

But let's take our evil hats on for a second or maybe not or you'll have that might not be fair. But why would you ever generate a feature like this in the first place? And I think the answer is in this contact slurping activity trying to suck in everybody's contact in order to get more people onto the platform of new users a better experience because they're connected offering connections to people that they know Will try to walk somebody through how to export the contacts out of their email account is actually a really pain in the but you got to figure out are they using something like Gmail? Are they using something custom? There's a whole bunch of complexities here that you need to figure out and to try to walk the people through the help documentation would be monstrous.

So, of course, it's easier just to say give me your password, but this leads me to my key takeaway point for everybody. I am so out of ranch mode in to advise smoke cuz I was trying to give you guys something practical here on mornings with Mark just because it's maybe the easier way to do something doesn't mean you should breach fundamental security protocols.

If something is fundamental is never ask people for their passwords is something you have to break so you to ask him for their passwords to build a feature. You're probably building the wrong feature. Right, you need to come out and give a trade-off and they look we can't implement this feature because it would break fundamental security at some point developers Engineers people who are Building Technology.

We need to put her foot down. We can't do this. This is going to open up way more exposure than it's worth. This is not a good practice is not something we want to encourage within our digital communities. That's my takeaway. I can't go on any longer with this because I will just continue to rant I'm sure you have comments.

I'm hoping they're all going to be with you. See. I hope your setup for fantastic day and great weekend, and I will see you on the next episode of the show where hopefully I will be calmer. Take care.