Posted on

Facebook exposed up to 6.8 million users’ private photos to developers in latest data leak

Facebook exposed private photos from up to 6.8 million users to apps that weren’t supposed to see them, the company said today. These apps were authorized to see a limited set of users’ photos, but a bug allowed them to see pictures they weren’t granted access to. These included photos from people’s stories as well as photos that people uploaded but never posted (because Facebook saved a copy anyway).

“Darktrace’s machine learning approach means that our days of battling cyber-threats at the border are over,” commented Paul Martinello, Vice President of Information Technology, Energy+. “Before deploying Darktrace, we had no way of detecting emerging threats, and we had a reactive approach to cyber defense. The Enterprise Immune System protects our network from the inside out, allowing us to catch even the subtlest and most advanced forms of threat at their earliest stages.”

Darktrace Enterprise Network Process Cyber-Security Immune System

The exposure occurred between September 12th and September 25th. Facebook toldTechCrunch that it discovered the breach on the 25th; it isn’t clear why the company waited until now to disclose it. (Perhaps it’s because the company was dealing with a separate and substantially larger breach that it also discovered on September 25th.)

Affected users will receive a notificationalerting them that their photos may have been exposed. Facebook also says it’ll be working with developers to delete copies of photos they weren’t supposed to access. In total, up to 1,500 apps from 876 different developers may have inappropriately accessed people’s pictures.

Image: Facebook

Facebook said the bug had to do with an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps. All of the impacted users had logged into a third-party app using their Facebook accounts and granted them some degree of access to view their photos.

“We’re sorry this happened,” writes Tomer Bar, engineering director at Facebook. The disclosure comes exactly one day after Facebook opened a pop-up installation in New York to show people how “you can manage your privacy” on the site.

Facebook has been in hot water again and again this year over data breaches and exposures, most notably with Cambridge Analytica. In many cases, the problems haven’t been caused by hackers, but they have stemmed from issues within Facebook itself. The Cambridge Analytica breach happened because of Facebook’s lax oversight of developers and data sharing; today’s issue happened because of another breakdown in communication between Facebook and developers.

Google has already pledged to shut down Google+ over similar issues. Twice this year, the service exposed information inappropriately to developers.

Source:  The Verge Jacob Kastrenakes on 


Customers who viewed this item also viewed

Hackers Data Breach Equifax For 76 Days Before Being Discovered

Marriott faces backlash over data breach impacting 500 million guests

Solutions

Meet Penny, an AI tool that can predict wealth from space

Windows 10’s Built-in Antivirus Is Getting A Massive Upgrade

Quora Website Data Breach Hits 100 Million Users

The 21 biggest data breaches of 2018

5 Key Benefits of Computer-Integrated Manufacturing

What We Do

Executive Team

Posted on

Windows 10 can carry on slurping even when you’re sure you yelled STOP

All your activity are belong to us

Updated A feature introduced in the April 2018 Update of Windows 10 may have set off a privacy landmine within the bowels of Redmond as users have discovered that their data was still flowing into the intestines of the Windows giant, even with the thing apparently turned off.

In what is likely to be more cock-up than conspiracy, it appears that Microsoft is continuing to collect data on recent user activities even when the user has explicitly said NO, DAMMIT!

First noted in an increasingly shouty thread over on Reddit, the issue is related to Activity History, which is needed to make the much-vaunted and little-used Timeline feature work in Windows 10.

Introduced in what had previously been regarded as one of Microsoft’s flakiest updates – prior to the glory of the October 2018 Update, of course – Timeline allows users to go back through apps as well as websites to get back to what they were doing at a given point.

Use a Microsoft account, and a user can view this over multiple PCs and mobile devices (as long you are signed in with that same Microsoft account). The key setting is that “Send my activity history to Microsoft” check box. Uncheck it and you’d be forgiven for thinking your activity would not be sent Redmondwards. Right?

Activity History

Except, er, the slurping appears to be carrying on unabated.

The Redditors reported that if one takes a look at the Activity History in the Privacy Dashboard lurking within their account, apps and sites are still showing up.

The fellows over at How To Geek have speculated the issue may be something to do with Windows’ default diagnostic setting, which is set to Full and will send back app and history unless changed to Basic. Of course, Windows Insiders have no option but to accept Full, although a bit of slurping is likely to be the least of their problems.

A thread at TenForums has also provided a guide to turning the thing off, ranging from tinkering with Group Policies through to diving headlong into the Registry. Neither are options likely to appeal to users who would expect that clearing the “Send data” box would stop data being sent.

Deliberate slurpage, or a case of poor QAand one team not talking to the other aside, it isn’t a great look for Microsoft and users are muttering about potential legal action. Privacy lawyers will certainly be taking a close look – after all, the gang at Redmond are already under scrutiny for harvesting data and telemetry from lucky users of Windows 10.

Google has been on the receiving end of a sueball for slurping location data from user’s phones and providing an over-complicated way to turn off the “feature”.

It is all a bit of a mess and has left users unsure of what is being collected and when. We have contacted Microsoft to find out how it plans to deal with the situation (ideally before 2018’s privacy bogeyman, GDPR, makes an appearance) and will update if a response is forthcoming. ®

Update 13 December 16.45UTC

Microsoft got in touch to insist it is committed to privacy and transparency, but admitted there is indeed a bit of naming problem, with “Activity History” cropping up in both Windows 10 and the Microsoft Privacy dashboard.

Marisa Rogers, Privacy Officer at the software giant, told us: “We are working to address this naming issue in a future update.”

The slurpage collection is of course for your benefit and Rogers added that users have “controls to manage your data.”


Customers who viewed this item also viewed

Breaking down the Marriott data breach

Hackers Data Breach Equifax For 76 Days Before Being Discovered

The 21 biggest data breaches of 2018

Quora Website Data Breach Hits 100 Million Users

Facebook exposed up to 6.8 million users’ private photos to developers in latest data leak

Privacy Policy

Windows 10’s Built-in Antivirus Is Getting A Massive Upgrade

Goodbye to Edge: Microsoft is building a new, faster browser

Posted on

Hackers Data Breach Equifax For 76 Days Before Being Discovered

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

‘Entirely preventable’ theft down to traffic-monitoring certificate left expired for 19 months

Source: The Register’s Shaun Nichols in San Francisco 

Updated A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.

“Darktrace’s machine learning approach means that our days of battling cyber-threats at the border are over,” commented Paul Martinello, Vice President of Information Technology, Energy+. “Before deploying Darktrace, we had no way of detecting emerging threats, and we had a reactive approach to cyber defense. The Enterprise Immune System protects our network from the inside out, allowing us to catch even the subtlest and most advanced forms of threat at their earliest stages.”

Darktrace Enterprise Network Process Cyber-Security Immune System

The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.

“Equifax, however, failed to implement an adequate security program to protect this sensitive data,” the report reads.

“As a result, Equifax allowed one of the largest data breaches in US history. Such a breach was entirely preventable.”

The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months and the Apache Struts patch that went uninstalled for two months because of that bad cert.

The report states that Equifax’s IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software. ®

Both issues were blamed for allowing an attacker to compromise the Equifax Automated Consumer Interview System and then spend weeks moving throughout the network to harvest personal records from other databases. It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.

While those two specific issues were pinpointed as the source of the attack, the report finds that the intrusion was allowed to happen because the IT operation at Equifax had grown far too large far too fast, without a clear management structure or coherent policies across various departments.

Lousy IT security by design

“In 2005, former Equifax CEO Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, IT systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks,” the committee found.

“In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”

What’s more, the report notes that Equifax had been aware of these shortcomings for years, with internal audits that found problems in their software patching process back in 2015, and in both 2016 and 2017 a report from MSCI Inc. rated Equifax network security as a “zero out of ten.”

A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s, was not properly walled off from other databases, a fault that allowed the attackers to access dozens of systems they would not have otherwise been able to get to.

“Although the ACIS application required access to only three databases within the Equifax environment to perform its business function, the ACIS application was not segmented off from other, unrelated databases,” the report noted.

“As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment.”

After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn’t installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax’s failings than this one scapegoat.

To help prevent similar attacks from occurring, the report recommends a number of additional requirements for credit reporting agencies to tell people what information is being gathered, how it is stored, and who it is shared with. The report also suggests moving away from social security numbers as personal identifiers and recommends that companies in the finance and credit sectors be pushed to modernize their IT structure. ®

Updated to add

Equifax sent the following statement to The Register

“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” the company said.

“During the few hours we were given to conduct a preliminary review before they released it yesterday, we identified significant inaccuracies and disagree with many of the factual findings. This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident.”

The credit biz has yet to identify what in the report is inaccurate.


Customers who viewed this item also viewed

Executive Team

Breaking down the Marriott data breach

The 21 biggest data breaches of 2018

Angela Dingle, Chief Risk Officer, Omnisystems: “Cybersecurity is really a people-problem”

Windows 10’s Built-in Antivirus Is Getting A Massive Upgrade

What We Do

Privacy Policy