Expert Comments

Experts Comments On Facebook Reveals Another Privacy Breach, This Time Involving Developers

Expert(s): Security Experts
Expert(s): Security Experts

Facebook has quietly revealed another privacy breach involving approximately 100 developers. On Tuesday, Konstantinos Papamiltiadis, Facebook’s Director of Platform Partnerships said in a blog post that the names and profile pictures of users connected to Groups and the system’s API were accessible.

Before April 2018, group administrators could authorize an app for a group they managed, giving the application developer access to this information. Despite restricting information access to just the group’s name, the number of users, and post content — unless users opted-in to share their name and profile picture — in April last year, Facebook says that some apps retained access to this additional data until recently, ZDNet reported today.

Experts Comments

Dot Your Expert Comments
Joseph Carson
November 07, 2019
Thycotic
Chief Security Scientist

FACEBOOK must prioritize privileged access management best practices and apply the principle of least privileged.
Another major FACEBOOK data breach resulting from poor API Access security controls. API Access should be treated as privileged and any access to API’s should follow privileged access management best practice security to ensure that access is approved and authorized. APIs typically allow automation and integration to ensure that applications can perform the tasks to function properly however many companies focus on making them available quickly and on ease of use then try plugging security.....Read More
Another major FACEBOOK data breach resulting from poor API Access security controls. API Access should be treated as privileged and any access to API’s should follow privileged access management best practice security to ensure that access is approved and authorized. APIs typically allow automation and integration to ensure that applications can perform the tasks to function properly however many companies focus on making them available quickly and on ease of use then try plugging security controls into them after they have already been available for long periods of time. In some instances when security is more difficult companies have to change the way the API works or revoke the access to the API altogether which is what FACEBOOK have done in this latest privacy failure. FACEBOOK must prioritize privileged access management best practices and apply the principle of least privileged to all new services as well as existing services. It might be a good time to get Mark Zuckerberg a gift-wrapped copy of my latest book called Least Privilege Cybersecurity for dummies as FACEBOOK might learn something about security and privacy by reading this book.  Read Less
Will LaSala
November 07, 2019
Director of Security Services, Security Evangelist
OneSpan

Now Facebook has made a change to their privacy policy and is ensuring that applications adhere to that policy.
In my view, Facebook was reviewing their policies and how they were implemented, then came across an unintended flaw in their APIs that allowed certain developers access to information that they now restrict. From Facebook’s explanation on their blog, most of these apps were designed to help manage people within a group. The most important thing to remember here is that the original group administrator had to add and approve these applications, they also had access to the restricted data. Now .....Read More
In my view, Facebook was reviewing their policies and how they were implemented, then came across an unintended flaw in their APIs that allowed certain developers access to information that they now restrict. From Facebook’s explanation on their blog, most of these apps were designed to help manage people within a group. The most important thing to remember here is that the original group administrator had to add and approve these applications, they also had access to the restricted data. Now Facebook has made a change to their privacy policy and is ensuring that applications adhere to that policy. From a consumer standpoint, this should be an indicator to go and check the groups that you belong to, make sure you agree with the apps the group administrator has granted permissions to use and ask to find out what types of data those apps have access to. If you disagree with the group’s privacy, then remove yourself from the group so they will stop having access to it. It is important that consumers stay vigilant when it comes to their privacy.  Read Less
Tim Mackey
November 07, 2019
Principal Security Strategist
Synopsys CyRC

Additionally, when settings change or new entities gain access to data, users should be alerted to the change.
As Facebook have demonstrated over the years, maintaining a matrix of permissions for any account is challenging. This comes not only from how privacy expectations are communicated and set, but through how they might be verified. Looking specifically at Groups, while a Group administrator might authorize an application to access certain aspects of their Group, individual users might have a different preference. As feature changes occur, it’s not uncommon for legacy settings to be.....Read More
As Facebook have demonstrated over the years, maintaining a matrix of permissions for any account is challenging. This comes not only from how privacy expectations are communicated and set, but through how they might be verified. Looking specifically at Groups, while a Group administrator might authorize an application to access certain aspects of their Group, individual users might have a different preference. As feature changes occur, it’s not uncommon for legacy settings to be grandfathered for a period of time, but when the feature involves a privacy setting such a grandfather policy can become problematic. Given the pace of feature development on social media platforms, and the complexity of social networks, users must rely on the social media platforms to place their privacy expectations above all else. This can and should include a concise page showing what data is both explicitly or implicitly available to which application, data service, Group, or User. Additionally, when settings change or new entities gain access to data, users should be alerted to the change. Armed with this information in a concise manner, individual users can then become active participants in managing their personal data and abuses at any level can be readily identified without requiring a government mandate on the social media platform to perform a privacy review.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

UK Minister Raab Wakes Up to Aggressive Cyber-Attacks Targeting British...

~200K US Military Vets’ Medical Records Leaked by 3rd Pty...

Experts Responses on Verizon DBiR Findings

Expert Reaction On Researcher Proves AirTags Can Be Hacked

Babuk Ransomware Gang Again Threatens DC Police Data Release

UK Home Secretary Warns Not To Pay Out To Ransomware...

U.S. Issues Ransomware Advice For Critical Infrastructure

Android Banking Trojan- Experts Insight

TeaBot Android Bank Trojan Steals EU User Credentials

NCSC Active Cyber Defence Fourth Year Report