Facebook, the early years: handing out a master password like candy

Filed Under: Facebook, Featured, Privacy

Mark Zuckerberg. Image courtesy of Kobby Dagan / Shutterstock.You are not paranoid about surveillance - at least, not as far as Facebook is concerned.

It appears that Facebook founder Mark Zuckerberg and his minions, in the early days, had a master password with which they could sign in to any user account and poke at whatever data we entrusted to the site.

The Guardian gleaned this from Zuckerberg's former speechwriter, Katherine Losse.

Losse told the media outlet that users should be guarded with their private data on the site - a timely warning, given the launch of Facebook's social search tool graph search.

Losse - aka Facebook employee No. 51 - joined the company in 2005 as a customer support staffer and worked her way up to being Zuckerberg's ghostwriter. She left in 2010 and, according to the Guardian, is now regarded as a rogue former employee by Facebook itself.

In 2012, she released a book, The Boy Kings, about those early years.

Recent revelations about the US National Security Agency's (NSA's) voraciously hungry appetite for surveillance may have left many users of social networking sites fretting about the government sucking up our private data, but Facebook has been privy to that data - including our passwords - from its infancy, Losse told the Guardian.

As The Guardian's Siraj Datoo points out, that's a little scary, given that plenty of users likely have never changed their passwords since they first signed up.

To make matters worse, many people commit security blasphemy by using the same password on multiple sites.

To make matters spontaneously combust in worse-osity, Losse wrote in "The Boy Kings" that in its early years, Facebook passed out the master password like candy, without vetting any of the support staffers.

Here's an excerpt from the book, courtesy of coverage from CNet's Jennifer Van Grove:

"Jake introduced us to the hanky application through which users' e-mails to Facebook flowed. Once we learned how the software worked, Jake taught us, without batting an eyelid, the master password by which we could log in as any Facebook user and access all their messages and data... I experienced a brief moment of stunned disbelief: They just hand over the password with no background check to make sure I am not a crazed stalker?"

As Losse told The Guardian, social networking users tend to assume they're the only ones who can access the information they input, but at most companies, it's probably not true, given that "at least some of the staff need to have access to user accounts in order to do their jobs."

She said:

"There has to be a way for the staff to manage and repair user account issues, and for this reason user data within most startups, especially when they are young, is never completely locked up from company staff."

At any rate, Facebook doesn't hand out a master password anymore, it says.

Nowadays, the company told CNet, employees don't have password access:

"An audit by the Irish Data Protection Commission included a detailed review of the level of access to user data that employees have at Facebook and found that we have an appropriate framework in place. Facebook employees do not have access to users' passwords."

It is, of course, preferable that we have as clear a picture as possible of what companies do with our personal data, so this history of early data yahooism is welcome.

Facebook silhouette. Image courtesy of Shutterstock.If it helps Losse to sell more books by tying it in to concern about PRISM-like surveillance, that's OK, as far as I'm concerned.

The more light we shed on these formerly murky matters, the better.

Facebook from its start could watch us, listen to us, and, probably, make fun of us and our soppy, trivial and/or really embarrassing posts and data.

Now it can't, it assures us.

If that helps to ease your compulsive surveillance suspicions, paralyzing fear of electronic privacy violation, or even, to borrow the Joy of Tech's formal diagnosis, PRISM Anxiety Disorder, all the better.

Thank you, Ms. Losse, for letting us know.

Images of Facebook silhouette and Mark Zuckerberg courtesy of Kobby Dagan / Shutterstock.com.

, , , ,

You might like

12 Responses to Facebook, the early years: handing out a master password like candy

  1. Renee · 278 days ago

    This is only news to people who thought they had privacy on the internet in the first place.

    in other words.... the ignorant and naive.

  2. This is no real surprise. From the first glimmers of email, anyone with the interest to listen knew that *any* system was open to the administrators and designers of the system. New clients and new server architectures don't change that Facebook at it's heart is an email system gone rogue.

  3. Is anyone really surprised that Facebook has access to information that we have given them?

  4. So, it's safe now? "An audit by the Irish Data Protection Commission included a detailed review of the level of access to user data that employees have at Facebook and found that we have an appropriate framework in place. Facebook employees do not have access to users' passwords." That says "user's passwords", and nothing about a "master password"!!!!!!!!!!!

    • Right, they probably store your password hashed and compare hashes on login. That's the typical pattern for authentication.

      That doesn't preclude a backdoor, however, which, in essence, this master password is.

      By the way, Facebook is not the first entity to create a backdoor. I submit to you the SkipJack algorithm and the clipper chip created by our fine friends in that three letter organization that rhymes with essay.

  5. Just treat Facebook like your social CV and you are fine. You aren't going to put on your professional CV that you are a madman after hours who likes to drink until the wee hours of the night right? So don't put that same stuff on your social network.

  6. Anyone with write access to the codebase and/or read access to the database it runs on, can be considered to have full access to anything you post on Facebook.

    Tacking a "or $password == 'letmein'" onto the end of the If() that's validating the login of a user is really easy, and is I assume the principle that this master password worked on.

    Reading a databse table to find the user record, you'll get a username and a password that's been hashed. One would hope salted and hashed, but depending on the app that may not help - Joomla keeps/kept the salt in the same field as the password, never quite understood that one...

    • njorl · 273 days ago

      "the salt in the same field as the password" - meaning both the salt and the hash of the salted password are held in a single, structured, field?

      That is not so bad. The benefit of the salt comes not so much from keeping it secret (the system must always be able to find it, after all) but from the fact very few accounts will have the same salt. Quite possibly, each account's salt will be unique.

      Were there no salt, we could pre-calculate the hash of every likely password (or a list of previously harvested passwords). Storing these hashes and passwords in an indexed table (equivalently, a hash map) enables up to rattle through all accounts, quickly finding the password, in the case it was on our original list.

      With the introduction of salt, however, we need to calculate the hash of the trial password plus the account's salt, and cannot reuse our result for cracking other accounts, unless they happen to have the same salt. This massively increases the computational effort to crack a given number of accounts.

      However, if I only ever wanted to crack one account - yours! - once I know the salt, the time to crack is not much increased. The hashing takes slightly longer, and I am much less likely to be able to obtain ready-calculated hashes to download, but that's about it. So, in that specific case, making me work a little harder to find the salt chosen for you does afford you a non-negligible uplift in protection.

  7. If I read this correctly, "Facebook employees do not have access to users' passwords.", it only means they do not have access to your password, not that they do not have passwords to access your account. Even then, the information is is databases, or some similar data store. Who needs to see your actual account?

  8. Christophe · 275 days ago

    Consider the following hypothetical scenario:
    ________________
    If a bunch of people from some random companies you've never heard of knocked on your front door and started asking you for all sorts of details about your personal opinions, your relationships, your job, and your life in general, you'd probably tell them to get bent.

    If they told you that they wanted the information so they could sell it to others who would then try to sell you stuff, you'd probably them to go to hell.

    But then some bozo named Zark Muckerberg comes along and gives you a place to write all that stuff about yourself "for free", so he can sell it to a bunch of companies you've never heard of, and you jump on it. And in the process, it's available to all kinds of other people you don't know...some of whom you'd never want to have such information about you.

    Even after it becomes a matter of public record that this hypothetical Zark Muckerberg explicitly says you're a "dumb f_ck" for doing it, it doesn't matter. You still make him rich by supplying him with your information...and that really IS for free. He doesn't pay you anything, except a place to post it where everyone can read it. The cost to you is your privacy.
    ________________

    Of course, nothing so ridiculous could ever happen. You're way smarter than that.

    Ummm...

  9. Lucky Starr · 275 days ago

    Very old news. Back in January 2010, an unnamed Facebook employee said this very thing in an interview. It was laughed off by a lot of the tech media. Just search on "Facebook master password."

    In fact, look at http://nakedsecurity.sophos.com/2010/01/15/chuck-... . Seems Graham had the scoop back then.

  10. andrew · 275 days ago

    nothing new there then !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.