
Private messages from 81,000 hacked Facebook accounts for sale - dustinmoris
http://www.bbc.co.uk/news/technology-46065796
======
petagonoral
Maybe it's time for the browsers to put more effort into extension network
security.

1) Every extension has to declare up front what urls it needs to communicate
to.

2) Every extension has to provide schema of any data it intends to send out of
browser.

3) Browser locally logs all this comms.

4) Browser blocks anything which doesn't match strict key values & value
values and doesn't leave browser in plain text.

~~~
simion314
Mozilla and Google should look at the top extensions and implement the popular
ones as official extensions(or for some may be worth building them inside the
browser), Reader mode is now part of some browsers so you do not need an
extensions.

Mozilla could implement ad blocking extensions and give the user the option to
use custom block list(so Mozilla is not accused of becoming a gate keeper).

~~~
johnchristopher
Or maybe not: the Firefox version of the pocket extension is badly baked (you
have to wait for the adding animation to disappear otherwise it gets
cancelled. The previous version was "click and it's added in the background").

The Chrome version is more usable.

The great firefox redesign at the beginning of the century was about slimming
down Mozilla the navigator and let extensions extend the browser. Is that the
pendulum going back and forth ?

~~~
Retric
I think the minimum browser changes over time, but without adding and removing
features it's hard to discover what that minimum is.

For example, some form of add or at least popup blocking should be included,
but that does not preclude useful addons from customizing the experience.

------
Santosh83
Rogue extensions are the Achilles Heels of browsers, yet the ramifications
aren't understood by the average user, who happily installs all sorts off
addons and extensions. Frankly I'm surprised more sensitive information hasn't
already been stolen/harvested all these years. This is why I run my browser
with no extensions with the sole exception of uBlock Origin.

~~~
Cthulhu_
I wouldn't object to extensions becoming paid and verified - that is, an
expert review team doing a code / security review for each update of an
extension. Either paid for by the authors, or done for free by e.g. Google
because they have plenty of money and they are directly impacted if their
platform releases a malicious extension.

~~~
saagarjha
The downside to this would be that this would still be possible to bypass if
users are allowed to install “unverified” extensions, but removing this
feature would lead to the downsides of the App Store namely Google having full
control over what their browser supports. Them being an advertising company,
there are whole classes of popular extensions that directly hurt their
business.

~~~
tracker1
Unverified extensions are also a bitch now... I can't just install all my own
via open-source extensions without a painful experience now in chrome.

It's a mixed bag.

------
kerng
Browser extension, although super useful freak me out.

Its the operating system equivalent of a kernel driver, getting access to
everything.

They lack transparency, updates can be sketchy and I dont ever know based on
what I should make trust decisions (number of downloads, is it an individual
or company, permissions,.. )

------
sct202
If I could purge some of my Facebook messages after a certain age, I think
that would be great. When I downloaded my archive, I had circa-2006 messages
with people who has since deactivated their accounts but their names were
labeled "Facebook User."

~~~
fredley
This is a problem with almost any online 'space' \- everything sticks around
forever. You can go left from anyone's Facebook profile picture and see
probably the first picture they uploaded to Facebook. Snapchat's USP was that
it didn't (not publically) keep stuff around.

I think there's a happy middle ground somewhere were I can set an expiration
time on anything I post to such a platform (e.g. Facebook/Twitter) so that it
goes private after that time - e.g. a year. It wouldn't even harm the bottom
line, since all the money is in new content, and I'd still have a private
archive of photos if I ever wanted to download them again.

All this is moot for me since I don't use services like this at all, but I
think there's an opportunity for a company to get this right.

~~~
sct202
Definitely is an opportunity I hope that they pursue. Looking back at my first
private messages on the platform like 10+ years ago is just full of cringe.

~~~
TeMPOraL
So is reading your own journal. And yet people write them.

Despite privacy issues, I still think that things sticking around "forever" on
the Internet is a good default. Link rot is already a huge problem when you're
trying to reference something you read in the past, and that's without auto-
expiry.

~~~
jakear
But people don’t tend to publish their life’s journals to every random person
who recognizes their name in a list of “would you like to friend request X?”

------
heinrichf
Note that (according to the article) they claim to have 120mio accounts, the
81k are a sample posted online and verified by Digital Shadows.

~~~
EForEndeavour
For anyone else who read this before the coffee kicked in and thought "120mio"
was the name of a startup or something:

Mio is an abbreviation for "millions" as a unit indicator in some financial
markets, such as the German, Swiss, and Dutch markets.
[https://en.wikipedia.org/wiki/Mio](https://en.wikipedia.org/wiki/Mio)

------
fwn
I think the headline is slightly misleading.

> [...] the data had probably been obtained through malicious browser
> extensions.

It appears to actually be hacked browsers, or compromised browsers for that
matter.

~~~
tomalpha
Perhaps, but only slightly imho. To your average HN denizen, 'hacked' implies
the account was completely compromised. To the wider world it might well
include partial compromise and/or the communications to/from the account even
if the attackers didn't gain total control. Which is what this appears to be.

My parents, for example, would not understand the difference.

~~~
mrweasel
>My parents, for example, would not understand the difference.

Nor should they be expected to, but the BBC should know the difference.
Facebooks stock price could be hurt due to this reporting, even though it
shouldn't. This could be seen as an attempt at manipulating the stock price of
a public trade company. Of cause it's just incompetence, but still.

~~~
mprev
The average tech reporter for a public service broadcaster most likely does
not know the difference. How often do you read mainstream tech reporting and
find yourself complimenting the journalist on their insight and factual
correctness?

~~~
mrweasel
Well... pretty much all the time. That doesn't mean it's okay if they
potentially hurt people and companies financially.

------
anjc
Why aren't Facebook saying which extension caused this, and why aren't people
being notified if their messages are leaked?

~~~
ipsum2
How does Facebook know what extensions were installed on the users browsers?

------
rwoodley
If someone makes money selling my messages - I want to know how!! I'll start
selling them. Never thought this was a monetization possibility.

~~~
ppeetteerr
They are selling for $0.1 an account. I'll give you $0.1 for your messages.

~~~
j1vms
> They are selling for $0.1 an account.

The important part is why it's 10 cents an account. Most of the accounts are
worthless to them.

They are looking for the 1 in 10000 that is worth much more. Security,
security, security...

------
Havoc
Is there a way to check who is affected? Have I been owned style

~~~
sp332
Hopefully Facebook has reported the issue to Chrome and they will remove the
extension. Maybe at that point you'll get a notification about an extension
being blacklisted by your browser.

~~~
bagacrap
What makes you think it was a single extension? If I were doing this I'd
probably create many extensions (with various ostensible purposes packaged
along with the spyware) to cast a wider net.

~~~
sp332
It probably wasn't a single extension, but the article proposes bookmarking
and personal shopper extensions as likely culprits.

------
Scoundreller
> And the data had probably been obtained through malicious browser
> extensions.

Any reason we shouldn’t suspect a malicious mobile app?

~~~
tonyztan
We should also consider the possibility that this is related to the Facebook
breach discovered in September, in which attackers got access tokens to 50
million accounts.

[https://www.nytimes.com/2018/09/28/technology/facebook-
hack-...](https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-
breach.html)

------
baxtr
Anyone know if this also affects WhatsApp?

------
sfcguyus
In a GDPR violation who gets the fines? Is it users? the EC? the member state?

~~~
gnode
In this case there might not be a GDPR violation. If the data is taken by
compromised browsers, then the breach wouldn't exist within Facebook's
control.

It's not clear to me from reading the GDPR whether companies are responsible
for the loss of personal data outside of breaches in their security. E.g. is a
successful phishing campaign against customers a data breach? If not at fault,
do they have an obligation to alert customers specifically about the attack?

------
pavel_lishin
> _Facebook said its security had not been compromised._

I mean, that's demonstrably untrue.

~~~
ummonk
That's clearly true here. It was the security of users' browsers that was
compromised.

------
yoaviram
If you've had enough of Facebook's negligence and like many others in recent
months have closed your account, use this handy website to send them a GDPR
request to make sure they delete all your personal data (disclosure, I'm one
of the creators): [https://opt-out.eu/?company=facebook.com#nav](https://opt-
out.eu/?company=facebook.com#nav)

~~~
czardoz
I'm curious to see why you think this is Facebook's negligence. There's little
they can do to control a user's browser extensions.

~~~
yoaviram
You have a point, although we don't know the details of this attack (they
haven't even disclosed the name of the extension) so I guess I'm biased
against them in light of recent history. My comment was more general than this
particular incident.

------
sbhn
So I guess the data is now being shared across the border between security
services and rightly so. The data and the story now have significantly more
value to those services that bill the tax payer, and those that sell your
attention using fear antagonising news media. So when an organisation demands
you hand over your data, and it’s for your security, it’s not really, is it?

