Anon Facebook employee reveals security issues, staff abuses

By on

Facebook LogoFacebook currently is the most popular social networking tool, but many don’t realise that it hosts a lot of personal data – from birthdays to embarrassing pictures from your friend’s 21st birthday party. This, of course, means that many don’t realise the how dangerous it can be by posting that much personal information.

In a recent interview to The Rumpus, an anonymous employee of the social network reveals how Facebook staff can access your profile, even as far as typing your user ID and typing a master password comprising of “upper and lower case, symbols [and] numbers” that would spell out Chuck Norris.

Rumpus: You’ve previously mentioned a master password, which you no longer use.

Employee: I’m not sure when exactly it was deprecated, but we did have a master password at one point where you could type in any user’s user ID, and then the password. I’m not going to give you the exact password, but with upper and lower case, symbols, numbers, all of the above, it spelled out ‘Chuck Norris,’ more or less. It was pretty fantastic.

Rumpus: This was accessible by any Facebook employee?

Employee: Technically, yes. But it was pretty much limited to the original engineers, who were basically the only people who knew about it. It wasn’t as if random people in Human Resources were using this password to log into profiles. It was made and designed for engineering reasons. But it was there, and any employee could find it if they knew where to look.

The employee also goes on and notes that you have to be inside Facebook, using the company-provided internet service to use the “master password”. He also reveals that two employees of Facebook abused their “universal access” privileges, and has admitted that he has also done it, but “never manipulated their data in any way”.

Facebook, however, no longer uses this method, as all messages – deleted or not – are stored in one database and a simple query search would pop them up. Facebook has also cracked down on the abuses in universal access and replaced it with a “pretty cool tool.”

Rumpus: How about reading their messages?

Employee: Never individually like that. I would mostly just look at profiles.

Rumpus: Would you suppose that Facebook employees might read people’s messages?

Employee: See, the thing is — and I don’t know how much you know about it — it’s all stored in a database on the backend. Literally everything. Your messages are stored in a database, whether deleted or not. So we can just query the database, and easily look at it without every logging into your account. That’s what most people don’t understand.

Rumpus: So the master password is basically irrelevant.

Employee: Yeah.

Rumpus: It’s just for style.

Employee: Right. But it’s no longer in use. Like I alluded to, we’ve cracked down on this lately, but it has been replaced by a pretty cool tool. If I visited your profile, for example, on our closed network, there’s a ‘switch login’ button. I literally just click it, explain why I’m logging in as you, click ‘OK,’ and I’m you. You can do it as long as you have an explanation, because you’d better be able to back it up. For example, if you’re investigating a compromised account, you have to actually be able to log into that account.

Rumpus: Are your managers really on your ass about it every time you log in as someone else?

Employee: No, but if it comes up, you’d better be able to justify it. Or you will be fired.

Rumpus: I would imagine they take this—

Employee: Pretty seriously. I don’t really fuck around, at all.