Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access

Facebook today announced that during a routine security review it discovered "some user passwords" were stored in a readable format within its internal data storage systems, accessible by employees.

As it turns out, "some user passwords" actually means hundreds of millions of passwords. A Facebook insider told KrebsOnSecurity that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included, and Facebook claims many of the passwords came from Facebook Lite users.


Facebook says that there's no "evidence to date" that anyone within Facebook abused or improperly accessed the passwords, but KrebsOnSecurity's source says 2,000 engineers or developers made around nine million internal queries for data elements that contained plain text user passwords.

Facebook employees reportedly built applications that logged unencrypted password data, which is how the passwords were exposed. Facebook hasn't determined exactly how many passwords were stored in plain text, nor how long they were visible.

Facebook plans to notify users whose passwords were improperly stored, and the company says that it has been looking at the ways certain categories of information, such as access tokens, are stored, and correcting problems as they're found.

"There is nothing more important to us than protecting people's information, and we will continue making improvements as part of our ongoing security efforts at Facebook," reads Facebook's blog post.

Facebook and Instagram users who are concerned about their account security should change their passwords, using unique passwords that are different from passwords used on other sites. Facebook also recommends users enable two-factor authentication.


This article, "Facebook Stored Hundreds of Millions Passwords in Plain Text, Thousands of Employees Had Access" first appeared on MacRumors.com

Discuss this article in our forums

Facebook CEO Mark Zuckerberg Outlines ‘Vision and Principles’ for Building a ‘Privacy-Focused’ Social Networking Platform

Facebook CEO Mark Zuckerberg this morning penned a new missive outlining the company's plan to create a "privacy-focused messaging and social networking platform."

Facebook's new privacy-focused platform, which will see its core apps overhauled, will, according to Facebook, be built around principles that include private interactions, end-to-end encryption, ephemeral messages, safety, interoperability, and secure data storage.


Zuckerberg says that its services will be rebuilt "around these ideas" over the course of the next few years, and that as Facebook implements these changes (to both Facebook and Instagram), the company will be "taking positions on important issues concerning the future of the internet."

These changes will be implemented "openly and collaboratively, and Zuckerberg points out that many people likely won't believe Facebook is able to build such a privacy-focused platform.
I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform - because frankly we don't currently have a strong reputation for building privacy protective services, and we've historically focused on tools for more open sharing. But we've repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.
The rest of Zuckerberg's article goes into more detail about each of the core principles that Facebook will be building its social networks around. For Messenger and WhatsApp, Facebook will focus on making them "faster simpler, more private and more secure" with end-to-end encryption. Additional ways to "interact privately" with friends, groups, and businesses will be added to make interacting with friends and family "a fundamentally more private experience."

When implementing end-to-end encryption on its platforms, Facebook plans to improve its ability to identify and stop bad actors using patterns of activity to appease law enforcement agencies that will be upset with Facebook's planned encryption efforts.
We've started working on these safety systems building on the work we've done in WhatsApp, and we'll discuss them with experts through 2019 and beyond before fully implementing end-to-end encryption. As we learn more from those experts, we'll finalize how to roll out these systems.
Zuckerberg says that the company is working on ways to make messages more ephemeral, perhaps by deleting them after a month or a year by default, and as for interoperability, Facebook is going to make it possible for users to "send messages to your contacts using any of our services," something that will later be expanded to SMS interoperability.

Facebook says that much of its work is "in the early stages" and that it is committed to consulting with experts, advocates, industry partners, and governments to "get these decisions right."

Zuckerberg's full post can be read over on Facebook.


This article, "Facebook CEO Mark Zuckerberg Outlines 'Vision and Principles' for Building a 'Privacy-Focused' Social Networking Platform" first appeared on MacRumors.com

Discuss this article in our forums

Facebook Messenger Dark Mode Fully Rolling Out in ‘Coming Weeks’


Over the weekend, it was discovered that Facebook had hidden a "Dark Mode" toggle in the latest version of FaceBook Messenger.

On Monday Facebook confirmed the release of the hidden feature but also promised a full roll out in the "coming weeks."

Dark mode in Facebook Messenger can be enabled by sending a crescent moon emoji in Messenger. Facebook describes the process as "Simply send a crescent moon emoji – 🌙 – in any Messenger chat to unlock the setting and prompt to turn on dark mode." That said, many have found they may need to force quit Messenger or even reinstall it for the Dark mode to activate. There's been no word on a dark mode coming to Facebook proper.

Facebook also demonstrates that you can improve the look of your chats by tapping on the name, and selecting a custom color or gradient.


This article, "Facebook Messenger Dark Mode Fully Rolling Out in 'Coming Weeks'" first appeared on MacRumors.com

Discuss this article in our forums

Some iOS Apps Sending an Alarming Amount of Data to Facebook and Most Users Are Unaware

It's no secret that Facebook is harvesting incredible amounts of data on all of its users (and some that don't even use the service), but what may come as a surprise is just how detailed and intimate some of that data is.

A report from The Wall Street Journal takes a look at some of the apps on iOS that provide data to Facebook, with that info then used for advertising purposes.


Instant Heart Rate: HR Monitor, for example, the most popular heart rate app on iOS, sent a user's heart rate to Facebook right after it was recorded in The Wall Street Journal's testing. Flo Period & Ovulation Tracker, which has 25 million active users, tells Facebook when a user is having a period or is intending to get pregnant.

Realtor.com, meanwhile, provides Facebook with the location and price of listings that a user viewed. With Flo in particular, it says it does not send this kind of sensitive data in its privacy policy, but then goes ahead and does so anyway.

Many of these apps are sending this data without "any prominent or specific disclosure," according to The Wall Street Journal's testing. Facebook collects data from apps even if no Facebook account is used to log in and even if the user isn't a member of Facebook.

Apps are sharing this data to take advantage of Facebook analytics tools that allow them to target their users more precisely with Facebook ads.

Apple does not require apps to disclose all of the partners that they share data with, and while certain personal information can be blocked, like contacts or location, more sensitive data, like health and fitness details, can be readily shared by these apps as there's no option to turn off this kind of data sharing.

Users can turn off Facebook's targeted advertising, but have no way to prevent apps from surreptitiously sending collected data to Facebook in the first place.

Facebook claimed that some of the data sharing The Wall Street Journal uncovered violates its business terms, and has asked these apps to stop sending information app users would consider sensitive.

The Wall Street Journal spoke to an Apple spokesperson, who said its App Store Guidelines require apps to obtain user consent for collecting data.
"When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action," the company said.
At least 11 out of the 70 apps tested by The Wall Street Journal were sending sensitive user data to Facebook, including six of the top 15 health and fitness apps. There's little end users can do, except for be wary of the apps they're choosing to download. Apple in the future could introduce more stringent guidelines and policy controls that would better put a stop to this kind of intrusive data harvesting.

The Wall Street Journal's full report, which is well worth reading, offers more detail on how it tested these apps and how some of the apps responded.


This article, "Some iOS Apps Sending an Alarming Amount of Data to Facebook and Most Users Are Unaware" first appeared on MacRumors.com

Discuss this article in our forums

Apple Shut Down All of Facebook’s Internal Apps When Revoking Enterprise Certificate

Facebook is no longer able to use or distribute important internal iOS apps after Apple disabled the Enterprise Certificate Facebook was abusing to surreptitiously gather data from iOS users right under Apple's nose.

Since 2016, Facebook has been paying teens and adults $20 per month to install a data gathering "Facebook Research" app that harvested all kinds of sensitive details from participants.

Facebook abused its enterprise certificate to get customers to install a "Facebook Research app

Apple had already banned Facebook's attempts to gather data through the Onavo VPN app, so Facebook used its enterprise certificate - provided to companies to install and manage internal apps for employees - to get participants to sideload the Facebook Research app, bypassing the App Store and Apple's oversight.

Facebook yesterday said that it was not violating Apple's enterprise rules, but as it turns out, Facebook was wrong. Apple this morning revoked Facebook's enterprise and said the social network had clearly violated the Enterprise Developer Program.
We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
Facebook's revoked certificate wasn't just used for the Facebook Research app. According to The Verge, Facebook needed that certificate to run all of its internal apps, and with access revoked, none of those apps are working.

That means Facebook isn't able to distribute internal iOS apps like Facebook, Instagram, and Messenger for testing purposes, and internal employee apps for purposes like food and transportation are nonfunctional.

All of the apps that used the certificate "simply don't launch on employees' phones anymore," and Facebook is said to be treating the issue as a critical problem internally.

After the certificate was revoked, Facebook this morning said that it would shut down its Facebook Research app, though the company defended it and claimed that those who participated went through a "clear on-boarding process." The Facebook Research app for Android continues to be available.

Facebook is not going to be able to properly operate and distribute iOS apps on a wide scale basis without access to its certificate, so it's not clear how this situation will play out. Apple's tools are essential for internal apps, though Facebook will likely still be able to use alternatives like TestFlight if the certificate isn't reinstated.

Apple CEO Tim Cook has been highly critical of Facebook's lack of respect for user privacy in the past, and the two companies have had a dispute over the Onavo app, but this is the first time that Apple has directly punished Facebook and shut down one of its illicit activities.


This article, "Apple Shut Down All of Facebook's Internal Apps When Revoking Enterprise Certificate" first appeared on MacRumors.com

Discuss this article in our forums

Facebook to Shut Down Controversial iOS Market Research App

Facebook has said it will end a controversial market research program in which the company paid users to install a mobile app that tracked their activity and data.

In a statement given to TechCrunch and other websites, the company said that its "Facebook Research" app, which paid volunteers between the ages of 13 and 35 up to $20 a month to access nearly all their data, would no longer be available on iOS.

The news came just hours after TechCrunch's exposé on the Facebook app, which used an enterprise certificate on iPhones to get people to sideload the app and skirt Apple's App Store rules. In the same announcement, the company also took issue with the way its "Project Atlas" program had been reported, claiming:
Key facts about this market research program are being ignored. Despite early reports, there was nothing 'secret' about this; it was literally called the Facebook Research App. It wasn't 'spying' as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens, all of them with signed parental consent forms.
In August 2018, Apple forced Facebook to remove its Onavo VPN app from the App Store because Facebook was using it to track user activity and data across multiple apps, which is a violation of Apple's App Store policy.

According to TechCrunch, a significant amount of code in the banned Onavo VPN app overlaps with the company's Facebook Research app, which remains available on Android devices.


This article, "Facebook to Shut Down Controversial iOS Market Research App" first appeared on MacRumors.com

Discuss this article in our forums

Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones

Apple in August 2018 forced Facebook to remove its Onavo VPN app from the App Store, because Facebook was using it to track user activity and data across multiple apps, something that violate's Apple's App Store policies.

As it turns out, Facebook has found an underhanded way to skirt Apple's rules and get people to continue installing its VPN -- paying them.


TechCrunch this afternoon exposed Facebook's "Project Atlas" program, in which Facebook paid people -- adults and teenagers -- to install a "Facebook Research" VPN that is similar to the Onavo VPN app.

As of 2016, Facebook has been secretly offering people aged 13 to 35 up to $20 per month along with referral fees to sideload the Facebook Research app using an enterprise certificate on iPhone. Enterprise certificates like this are designed to allow companies to distribute internal corporate apps and give full root access to a device.

To hide its involvement, Facebook has been using beta testing services like Applause, BetaBound and uTest to recruit participants to install Facebook Research.

By getting people to sideload an app this way through an enterprise certificate, Facebook has access to data that includes private messages in social media apps, chats from instant messaging apps (including photos and videos), emails, web searches, web browsing activity, and ongoing location information. It's not clear if Facebook is accessing this data, but it could, according to security researcher Will Strafach, who TechCrunch consulted for this piece.
"The fairly technical sounding 'install our Root Certificate' step is appalling," Strafach tells us. "This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this."
The terms of service for the Facebook Research app suggest Facebook was collecting information about the smartphone apps on a participant's phone and how and when those apps are used. Facebook also said it would collect data about activities and content within the apps, and information about internet browsing history. There's even a line suggesting Facebook collects data even when an app uses encryption or from within a secure browser session.

Facebook confirmed the program in a statement provided to TechCrunch and reportedly said that the Facebook Research app was "in line with Apple's Enterprise Certificate program," though that does not seem to be the case based on Apple's Enterprise Certificate policy.
"Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we've provided extensive information about the type of data we collect and how they can participate. We don't share this information with others and people can stop participating at any time."
Apple has been made aware of the issue, but declined to provide a comment to TechCrunch. It's not clear how the Cupertino company will handle the situation, but as TechCrunch points out, Apple CEO Tim Cook has been highly critical of Facebook and its privacy violations. Apple could potentially block the Facebook Research app or revoke Facebook's permission to distribute internal apps entirely.

Full details on Facebook's spying app can be found in TechCrunch's exposé.


This article, "Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones" first appeared on MacRumors.com

Discuss this article in our forums

Mark Zuckerberg Plans to Make Facebook Messenger, Instagram Messaging, and WhatsApp Interoperable

Facebook CEO Mark Zuckerberg is planning to integrate three disparate messaging services -- Facebook Messenger, Instagram messaging, and WhatsApp -- into one "underlying messaging infrastructure" (via The New York Times).

Facebook Messenger

These services will continue to operate as their own standalone apps, but the company's work will make them interoperable with one another. This means that a Facebook user could send an encrypted message to someone who only has a WhatsApp account, and vice versa. The company is still in the early stages of the unification, with plans to be finished by the end of 2019 or early 2020.

According to sources familiar with the plans, Zuckerberg's idea is the newest effort to keep people within the Facebook ecosystem, and off of rival texting apps like iMessage.
Mr. Zuckerberg has also ordered all of the apps to incorporate end-to-end encryption, the people said, a significant step that protects messages from being viewed by anyone except the participants in the conversation.

By stitching the apps’ infrastructure together, Mr. Zuckerberg wants to increase the utility of the social network, keeping its billions of users highly engaged inside its ecosystem. If people turn more regularly to Facebook-owned properties for texting, they may forgo rival messaging services, such as those from Apple and Google, said the people, who declined to be identified because the moves are confidential.
In an official statement, Facebook said it's "working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks," alluding to the upcoming change. As of now, WhatsApp is the only one of the three main Facebook messaging apps to support secure end-to-end encrypted text messages, which ensures that texts are only read by you and the person you send them to.

This also raises privacy concerns for Zuckerberg's plans, since it's unclear how an end-to-end encrypted app would integrate with apps like Facebook Messenger. To sign up for WhatsApp, only a phone number is needed, but in contrast personal identities are the central part of apps like Facebook and Instagram, including their messaging services.
Today, WhatsApp requires people to register only a phone number to sign up for the service. By contrast, Facebook and Facebook Messenger ask users to provide their real identities. Matching Facebook and Instagram users to their WhatsApp handles could give pause to those who prefer keeping their use of each app compartmentalized.
In the wake of last year's Cambridge Analytica scandal, internal sources state that Zuckerberg has renewed his focus on WhatsApp and Instagram as the main Facebook brand was hit hard with negativity. In September, Bloomberg reported that Instagram was expected to soon become "more tightly integrated" with Facebook, in the wake of Instagram co-founders Kevin Systrom and Mike Krieger leaving Facebook.

WhatsApp founders Jan Koum and Brian Acton have also left Facebook for similar reasons. According to today's reports, employees are still clashing with Zuckerberg over the new shift in focus to WhatsApp and Instagram, with dozens of WhatsApp employees arguing with Zuckerberg over the upcoming messaging integration plan on internal message boards, as well as during a "contentious" staff meeting last month.

During this meeting, WhatsApp employees reportedly asked Zuckerberg why he was so focused on making the messaging services integration a priority for 2019. According to sources, his responses were "vague" and "meandering," and as a result several WhatsApp employees have left and more are planning to leave because of the plan.


This article, "Mark Zuckerberg Plans to Make Facebook Messenger, Instagram Messaging, and WhatsApp Interoperable" first appeared on MacRumors.com

Discuss this article in our forums

Facebook Stories to Get Experimental Event Planning Feature

Facebook has revealed plans to start testing a way for users to "share the events" they are interested in and "coordinate to meet up with friends" using its Stories feature, according to The Verge. The test will roll out to Facebook users on iPhone and Android smartphones in the United States, Brazil, and Mexico.


The report outlines how the feature will work:
The stories will come with tappable stickers for revealing event details, and friends can toggle themselves as “interested” or “going” to the event right from within the story. There’s also a link to the event page built in and a way to start a group chat on Messenger with friends who responded.
Facebook Stories have a reputation of being unpopular, but Facebook remains a popular platform for planning events like birthday parties, so this test could attract more people to start using Facebook Stories.

Back in September, Facebook did say its Stories features have a combined 300 million daily users across its Facebook and Messenger apps, which is quite a surprising stat, as Facebook Stories appear to be far less popular than Stories on Instagram or Snapchat based on our anecdotal observations.


This article, "Facebook Stories to Get Experimental Event Planning Feature" first appeared on MacRumors.com

Discuss this article in our forums

Apple Hires Prominent Facebook Critic for Internal-Facing Product Privacy Role

Apple has recruited a former Facebook employee who went on to become one of the social network's most ardent critics, reports The Financial Times (paywall). Sandy Parakilas monitored the privacy and policy compliance of Facebook developers for 18 months before leaving the social network in 2012.

Sandy Parakilas talking to Bloomberg

During his time at the company, Parakilas felt his concerns about its data-sharing policies were downplayed, according to FT.

Last year, following the Cambridge Analytica scandal, Parakilas also gave evidence to the British parliament's digital, culture, media, and sport committee, and told MPs that Facebook's data protection practices were "far outside the bounds of what should have been allowed" between 2010 and 2014.
Mr Parakilas has urged the tech industry to improve its data protection practices, increase the use of encrypted messaging and "verify the truth of statements that can be viewed by millions of people".

"We now live in a world where racist demagogues and their dictator buddies can cynically exploit our tools to seize power," he wrote in a blog post in late 2016. "There is no such thing as a 'neutral platform'. Facebook, Twitter and Google all profited from this perversion of democracy."
According to FT's sources, Parakilas will work in Apple's privacy team as a product manager, an internal-facing role designed to ensure that new products in development protect users' privacy and minimize data collection.

Apple has made much of its privacy focus in recent years. In 2018, CEO Tim Cook singled out user privacy a "core value" of Apple's that reaches way back to before smartphones had become a feature of people's daily lives.

Recently, in the heart of Las Vegas where the Consumer Electronics Show is currently underway, Apple put up a giant sign touting the security of its devices to remind the tech industry of its heavy emphasis on privacy.

Apple does not have a presence at the show, but CES attendees will be seeing products from companies with less of a privacy focus like Google and Amazon.


This article, "Apple Hires Prominent Facebook Critic for Internal-Facing Product Privacy Role" first appeared on MacRumors.com

Discuss this article in our forums