Facebook will never be completely secure


And neither will any other service you rely on.

Yesterday, Facebook announced that it found — and fixed — a stunning security breach that put 50 million people’s accounts at risk. In the words of Facebook executives, the attack was “sophisticated” and its reach was “broad.” And, more chillingly, we don’t know who was behind it or what they intended to do with that account data.

“While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk,” Facebook CEO Mark Zuckerberg said, “the reality is we need to continue developing new tools to prevent this from happening in the first place.”

His sentiment is correct: Facebook needs to prevent these sorts of breaches before they happen. But is that even possible? Can Facebook pre-emptively stamp out every potentially disastrous vulnerability before it’s discovered? Almost certainly not.

Facebook has come a long way since one person could actively manage it from a dorm room. Aaron Chiu, a software engineer for Facebook, noted on Quora that as of five years ago, core Facebook was made up of 62 million lines of code. A codebase that complex requires a great many stewards and the service has only grown more sophisticated since then. More moving parts means more things that could potentially go awry, but the service’s growing complexity means it’s highly unlikely the company will ever be able to completely secure its products. (When asked if the company felt otherwise, a Facebook spokesperson simply pointed at existing statements.)

It doesn’t help that this breach — one of, if not the, largest in the company’s history — came about through a seemingly unlikely confluence of flaws.

Guy Rosen, Facebook’s vice president of product management, said on a call with reporters earlier today that the breach was the result of three bugs inadvertently working in tandem. The first allowed people using Facebook’s View As feature, which lets you see what a particular friend would see if they looked at your profile, to access a video uploader that they shouldn’t have been able to use. That uploader is the crux of bug number two: it created a single sign-on token meant for Facebook’s mobile app, not the standard web version. The final bug was arguably most damning: the access token created by the video uploader was for the account being viewed, allowing the attacker (or attackers, we’re not sure) to gain access to a stranger’s profile and repeat the process for that person’s friends.

[Read More]