Facebook Engineers Can Access Your Account Without A Password

British electronica label owner and artist Paavo Siljamäki made an interesting Facebook post recently.

“Popped to Facebook offices in LA, the nice people there were giving us good advice on how to use Facebook better,” he wrote. “I was then asked if I’m ok for them to look at my profile, I said ‘sure.’ A Facebook engineer can then log in directly as me on Facebook seeing all my private content without asking me for the password.”

Facebook’s Zero Tolerance Policy – Protection Enough?

Well, of course, they can do that, you say. But it’s not something people think of every time they log into Facebook. And with Facebook used as a way to log into so many other sites these days, a whole new level of security vulnerability presents itself.

After the story got attention from Siljamäki’s legion of fans, a Facebook employee (see below) took the time to make comment in such a way that did not deny this access. Instead, it justified the access as being limited and used only by those who have a strict need to use it. Additionally, they claim there are bi-weekly audits of access logs.

But, if that’s the case, the damage would already be done, wouldn’t it?


Against Their Own Terms

The Facebook engineer who accessed Paavo Siljamäki’s account violated the terms of service, nowhere in which is it outlined situations under which Facebook itself might go into the accounts of its users. One thing it does say, however, is that you’re not allowed to use other people’s Facebook accounts or allow others to use your account.

(3.5) You will not solicit login information or access an account belonging to someone else.

(4.8) You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

The terms don’t exempt Facebook employees. So, even though Facebook appears to have an extensive internal policy covering these activities, and may even take it seriously, the Facebook accounts of all the people who’ve done this should be disabled.

Beyond Facebook

The time has come for decentralized social networking to replace the Facebook hegemony on identity. This company makes billions by trafficking in the data on children as young as thirteen. People have become the product, in many cases unwittingly. People always point to the fact that these things are governed by terms of service, but that doesn’t go far enough.

This case is an example of an action Facebook allows itself to take which is not expressly obvious to users. A jilted lover who happens to be a Facebook engineer could do a great deal of damage to his or her ex-lover’s life before getting fired, and that’s just one situation which seems realistically possible.

At the very least, the actual access should be evident to the user. We can reasonably expect that if the government wants to know what’s going on in our Facebook accounts, they will. But an engineer with this level of access could in good faith be fooled by someone who is simply social engineering, pretending to be someone they are not, and in some cases the damage can be irreversible.


Website: http://phm.link

P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at http://ico.phm.link