Facebook employees can fully access your account without a password
Posted by: Jon Ben-Mayor on 02/28/2015 07:25 AM
[
Comments
]
A recent discovery made by Paavo Siljamäki, who is not a security researcher but a director at the Anjunabeats record label has shed some light on the fact that certain Facebook employees have, for lack of better word, a master-key to users accounts. This "key" allows them to log into your account just as if you had done it yourself. No warnings that a login from an unknown computer, browser or geographical location pop up.
Today's thought provoking story;
Popped to Facebook offices in LA, the nice people there were giving us good advice on how to use Facebook better. I was then asked if i'm ok for them to look at my profile, i said 'sure'. A Facebook engineer can then log in directly as me on Facebook seeing all my private content without asking me for the password.
Just made me wonder how many of Facebook's staff have this kind of 'master' access to anyone's account? What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).
A Facebook spokesperson gave the following statement:
We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.
Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.
We have a zero tolerance approach to abuse, and improper behavior results in termination.
As for the case above, the Facebook employee in question was responding to a specific problem Siljamäki had and got permission to resolve the issue.
As we all know the prospect of termination (or prosecution) will fully thwart any misuse....
Source: VentureBeat
Today's thought provoking story;
Popped to Facebook offices in LA, the nice people there were giving us good advice on how to use Facebook better. I was then asked if i'm ok for them to look at my profile, i said 'sure'. A Facebook engineer can then log in directly as me on Facebook seeing all my private content without asking me for the password.
Just made me wonder how many of Facebook's staff have this kind of 'master' access to anyone's account? What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).
A Facebook spokesperson gave the following statement:
We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.
Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.
We have a zero tolerance approach to abuse, and improper behavior results in termination.
As for the case above, the Facebook employee in question was responding to a specific problem Siljamäki had and got permission to resolve the issue.
As we all know the prospect of termination (or prosecution) will fully thwart any misuse....
Source: VentureBeat
Comments
