[ad_1]
"I'm glad we found that, corrected the vulnerability and secured accounts that may be in danger," said Facebook CEO Mark Zuckerberg, "but we must continue to develop new tools to prevent that does not happen. " in law."
His feeling is correct: Facebook must prevent these types of violations before they happen. But is it even possible? Can Facebook preemptively remove each potentially disastrous vulnerability before it is discovered? Almost certainly not.
Facebook has come a long way since someone could actively manage it from a dormitory. Aaron Chiu, a software engineer for Facebook, noted on Quora that five years ago, the Facebook core was composed of 62 million lines of code. A complex code base requires a large number of managers and the service has grown steadily. More moving parts mean more things that might be lacking, but the increasing complexity of service means very it is unlikely that the company will be able to fully secure its products. (When asked if the company was of another opinion, a Facebook spokesman simply pointed to the existing statements.)
This does not help that this violation – one of the most important in the company's history, if not the most important one – has been caused by seemingly unlikely convergence of loopholes.
Guy Rosen, vice president of product management for Facebook, said at a press conference with reporters earlier today that this violation was the result of three inadvertent bugs. The first person authorized to use Facebook's View As feature, which allows you to see what a particular friend would see if your profile was viewed, to access a video download program that they should not have been used. This downloader is the number two bug node: he created a single sign-in token for Facebook's mobile app, not the standard web version. The last bug was undoubtedly the most damning: the access token created by the video editor was aimed at the account being watched, allowing the attacker (or attackers, we are not sure) to have access to the profile of the stranger and repeat the process for it. friends.
This is an extremely mysterious discovery, and if any of these features worked properly, 90 million people would not have to worry about what's happening with their personal data. If you zoom in on these individual problems, they seem relatively benign. Facebook missing a single big defect would have been a thing; this breach has been made possible by three small defaulters. These types of cascading and co-dependent failures can be difficult to take into account, especially when you consider the frequency with which Facebook seems to update the components of its service. It's just: there are many, after all.
While it may be tempting to assume that a recent management reshuffle that Facebook has left without a security chief has not helped, the company says the opposite. Facebook had said earlier this year that it had begun integrating engineers and security analysts into product engineering groups in order to respond to new threats. Rosen told reporters that this change would help internal investigators "find and solve" this problem more quickly.
Rosen also noted that Facebook is preparing to increase the number of employees working on "safety and security" from about 10,000 to 20,000 people. Looking at the problem and thinking about this problem is certainly a step in the right direction, although members of the security community insist that it will take more than new recruits to solve problems.
"This is not necessarily the number of eyes on software that matters, but more so the diversity of people who check it," said Engadget, a researcher at Malwarebytes, Jerome Segura. "This means that the internal code review is excellent, but the benefits of having researchers and third-party companies present are also valuable."
As all this debacle has been proven, a handful of small imperfections working so that no one expects to do is able to do a lot of damage. Fortunately, there are ways for Facebook to better manage the easiest problems: Segura said that code segmentation and compartmentalization, combined with regular internal and external audits, "could actually make the product safer." Even in this case, Segura conceded that "complex bugs will still exist".
For the moment, we can only expect answers. Facebook is convinced that only 50 million users have been directly affected by this vulnerability, but the company is not yet sure how these accounts were "misused". And given the magnitude of this violation and the continued involvement of the FBI, it will take time before we understand the extent of what these attackers were after and they have finally succeeded. One thing, however, seems clear: Facebook is a complex service that stores a lot of valuable personal information and the target is painted on the back. These attacks are not going to stop anytime soon and Facebook will not be able to push them back forever.
Source link