
Facebook admits SMS notifications sent using two-factor number was caused by bug - amingilani
https://www.theverge.com/2018/2/16/17022162/facebook-two-factor-authentication-sms-notifications-security-bug
======
adamjc
I find it extremely hard to believe that this was a bug. Obviously without
knowing FBs internals we'll never know, but why you'd write software that
would have everything wired up together, your SMS notification service has the
ability to post notifications on your behalf? I'm not buying it.

This was either poor engineers, or they're lying. With the quality stuff FB
put out (React, Jester, etc), I find the former to be hard to accept.

I'd find it more believable if this wasn't a bug, but something behind a
feature toggle that they didn't intend to push live just yet.

~~~
franciscop
If this is really a bug, I can see this as a _human bug_ or communication
issue. They have their standard sms notification system on one place. The
creator(s) of the 2FA system saw a phone field on the profile and just pushed
the number there when saving the phone as a 2FA without checking that this
would be used for notifications as well. The person checking the code sees a
phone number coming in, and it being saved into the phone field, so no issue
from this point of view.

~~~
usrusr
That's a widespread class of bug (deserving of a short, memorable handle like
off-by-one, semantic collision perhaps?), but could it apply here? I'd sure
hope that the world's most prominent authentication provider would keep their
2FA more isolated than that from their ad pipes.

~~~
rando444
The phone number is too important to them for tracking purposes.

It allows them to tie your instagram usage to your facebook account to your
whatsapp conversations even if none of them are linked together, and then
create a big map of all of the people you interact with on the different
platforms.

The more phone number information they have, the more powerful their map.

------
eitland
Same company that bought the privacy-oriented communication startup WhatsApp,
changed the terms _with default opt-in_ and started feeding data back to
themselves.

Bug this time? Maybe. Maybe not.

To me it seems some parts of that company are constantly lying and pushing the
boundaries of creepy (while other parts are doing somewhat useful stuff).

~~~
p49k
Default opt-in for existing accounts, complete inability to opt out for new
accounts.

------
scrollaway
It's not just the notifications. I don't like how they _require_ a number for
SMS fallback when TOTP is set up.

SMS for 2FA is insecure and I _specifically_ do not want to use it, I _only_
want TOTP. And yet, every single code I generate on my authenticator also gets
sent to my SMS number.

It's incredibly annoying. Anyone from Facebook who worked on/with this care to
comment?

~~~
dublinben
If you add a U2F security key to your account as well (which you really ought
to) you can turn SMS fallback off.

~~~
scrollaway
I don't have a U2F key (for various reasons) and while I appreciate that the
option is there for those that use one, it's really no excuse.

~~~
tuxxy
Sorta unrelated, but mind commenting on why you don't have one? Is it a
security thing or do you just not have one/like one?

~~~
scrollaway
Not enough support to warrant having it for basically only my google and
github accounts.

I use keepassxc totp which gives me reliable seed backups etc, and still gives
me 95% the same level of security.

------
philfrasty
Reminds me of a seller on Amazon I bought from who misused the customer's
phone numbers to ask for reviews (as a seller myself I honestly don't know why
Amazon would display them publicly at all). One day I get a 500 character SMS:
„Do you want 20 coffee-tabs FOR FREE? Just leave us a 5 star review on XYZ and
email xyz@evil.com blablablabalbla“.

Turned out to be the quickest 1 star review I had ever given.

~~~
0x00000000
There is no quicker way to get a 1 star review than spamming me through Amazon
marketplace emails to leave a review.

------
greggarious
Is "we decided to do this then later decided it was a bad idea" a "bug"? I
thought bug implies unintended behavior. Not intended behavior that wasn't
fully thought through and may have conflicted with other silos in the org.

~~~
craftyguy
You're absolutely right, but the vast majority of facebook's target audience
has come to understand that "bug" is synonymous with "oops, we messed up (pay
no attention to whether this was intentional or not)"

------
bitL
FB PM's algorithm:

If a feature is a success, boast about how you created it from the scratch and
take all the credit (ofc giving brownie points upwards in the hierarchy).

If a feature is a disaster, claim it's a bug and scorn a developer scapegoat!

------
mtgx
Not this excuse again. Everything Facebook has ever been caught doing
maliciously was classified as bug - at least until they turned it back on
later and called it a "super important security feature the world couldn't
live without - so, you're welcome?!", like they did/are doing with the datr
cookies.

They're also going to get caught using people's supposed "face authentication"
biometrics (another recent "security feature", which btw is a stupidly
reckless feature even when taken at face-value, because biometrics should be
stored client-side not in a centralized database where millions of profiles
can get hacked at once) for 100% advertising purposes, and they'll probably
call it a bug again if there's strong backlash against it, at least until they
make sure they can't get caught the next time they do it.

~~~
drak0n1c
They are probably not lying. If they get sued in a class action lawsuit and
this public statement is found to be a fabrication then they will be in way
more trouble than this entire issue is causing them in the first place.

~~~
shakna
"Bug" is a nice wide term covering a lot of things. This could have been a
feature that wasn't intended to go live yet. It got exposed early, so that's a
bug. Another option: It was supposed to go live everywhere, but only went live
in a small area. Still a bug.

------
jstanley
> Facebook uses the automated number 362-65, or “FBOOK,”

Without even looking at a phone keypad, how can this make sense? The 3rd and
4th characters can't both be O if they come from different keys. Perhaps they
mean 32665?

~~~
Kiro
Pretty sure it's 326-65, yes. Otherwise 2 would be wrong as well.

------
pfarnsworth
Why do people keep misusing the word “deprecate”? Everyone I know seems to
think deprecate means “to desupport” or to “end functionality” but it means
“to discourage its use”. When someone says “we plan to deprecate it soon” they
really mean “we plan to remove the feature soon”, since it’s already likely
deprecated.

~~~
toomanybeersies
In the tech community, deprecate has had the meaning of "end functionality"
for at least a decade.

------
username223
Way back when FB rolled out 2FA, I weighed the additional security of that
over a strong random password, versus the obvious downside of them having my
phone number. Basically, it was a small chance of some weirdo hijacking an
account containing nothing sensitive (FB doesn't have my credit card, either),
versus a large chance of a giant ad/surveillance company using my phone number
to make money. I ultimately chose not to set up 2FA, and now I think that was
a good decision for exactly the reasons I predicted.

I'm also very skeptical of the "bug" explanation, given how persistently they
have been asking for my phone number lately.

------
mikeash
Why is this “admits”? This is the kindest possible explanation for them.
“Admits” would be if they said they did it on purpose.

~~~
dilap
Yeah, I think "claims" would fit a lot better here.

------
0x00000000
Yeah I'm sure it's a "bug" that they spam you with irrelevant push
notifications ("did you see X commented on Y's photo?") even when you have
push notifications turned off in account settings.

I'm sure it's also a bug that the screen on the app that let you select a
recent notification and say "don't show me notifications like this" also
disappeared

~~~
UncleEntity
Maybe that's the team where the Microsoft ME devs they poached back in the day
go to retire?

I jest, I jest...

It is crazy annoying how needy they are with their "engagement" emails though.

------
tempodox
What a lame and transparent excuse. They “admit” it was a “bug” so they don't
have to admit they got caught.

------
m3kw9
Most responses here days by these companies is that this was a bug and we will
fix it after being caught

------
retox
Every time they get caught doing something shady it's a 'bug'. Same for Google
sniffing up all the WiFi signal data from the streetview cars.

It fucking stinks.

------
vincengomes
"Bug"

------
imron
And let me guess, it was an intern who did it (or a 3rd party contractor).

