It’s no secret Facebook has been under fire for the misuse of tens of millions of Facebook users’ private data. Facebook reportedly has had partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, which allegedly began before Facebook apps were widely available on smartphones.
According to a recent NYT report, “The company views its device partners as extensions of Facebook, serving its more than two billion users, the officials said. These partnerships work very differently from the way in which app developers use our platform,” said Ime Archibong, a Facebook vice president. “Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of ‘the Facebook experience.’” Katie Carty Tierney, senior director, global sales engineering at WhiteHat Security, commented below.
Katie Carty Tierney, Senior Director, Global Sales Engineering at WhiteHat Security:
“Because we continue to see a need for mature DevSecOps programs, we may be seeing more of these issues leading to breaches and cyberattacks. The biggest challenge is keeping security professionals trained on the most secure development practices, and having them implemented in practice. Here’s how I look at this: bandits who attacked unsecured banks in the old west didn’t have a map. They just knew that banks existed and were largely unprotected. Similarly, Facebook’s device APIs (as they’re calling them) were simply APIs that didn’t provide a map. That doesn’t mean that attackers wouldn’t be able to figure them out; they’d just have to find them to exploit them. And since Facebook provided the device APIs with higher level privileges and access than the standard public-facing APIs, once a malicious actor found one, it would be only a matter of time until they had all the data they needed to complete whatever nefarious task they wanted.
For many standard public-facing APIs, though, where the entire API structure is published, there are maps that give the bad guys a head start. Public-facing APIs are generally easy to exploit through common attack methods like authorization or authentication attacks, so they are prime targets for malicious actors. Where we go from this point will determine what sensitive information is knowingly or unknowingly left vulnerable and what are the consequences for not making access more secure. It’s up to the owners of these APIs to make API-level security a priority and to protect the data which we’ve entrusted to them.”