Hacker News new | comments | ask | show | jobs | submit login
Private messages from 81,000 hacked Facebook accounts for sale (bbc.co.uk)
314 points by dustinmoris 3 months ago | hide | past | web | favorite | 131 comments

Maybe it's time for the browsers to put more effort into extension network security.

1) Every extension has to declare up front what urls it needs to communicate to.

2) Every extension has to provide schema of any data it intends to send out of browser.

3) Browser locally logs all this comms.

4) Browser blocks anything which doesn't match strict key values & value values and doesn't leave browser in plain text.

> 4) Browser blocks anything which doesn't match strict key values & value values and doesn't leave browser in plain text.

It is not that hard to leak out arbitrary info in strings or even numbers

Or in the timing pattern of polling a URL. 1 sec pause: 0, 2 sec pause: 1.

This is a losing battle. Don't engage.

I disagree. So does the TCSEC ("Orange Book"), which argues that covert channels may be effectively impossible to eliminate but that they should still be reduced, then lays out guidelines on how far they should be reduced for secure computing platforms. Specifically:

  In any multilevel computer system there are a number of
  relatively low-bandwidth covert channels whose existence is
  deeply ingrained in the system design. Faced with the large
  potential cost of reducing the bandwidths of such covert
  channels, it is felt that those with maximum bandwidths of
  less than one (1) bit per second are acceptable in most
  application environments. [...] Therefore, a Trusted
  Computing Base should provide, wherever possible, the
  capability to audit the use of covert channel mechanisms
  with bandwidths that may exceed a rate of one (1) bit in ten
  (10) seconds.
I'll admit that this definition is at least a couple decades out of date, but at the same time... the standard for the US's intelligence agencies' secure computing platforms was to not even care about hypothetical covert channels slower than .1 bps. In addition, such channels were required to be auditable, not eliminated; I'm certain that less-secure applications were completely fine shipping with demonstrated covert channels in the bits-per-second range. And that's for systems that deal with things like the IDs of HUMINT assets or technical specifications for weapons systems; here on HN we're talking about browser fingerprints and location data.

All of this is to say: If I could limit covert channels from webpages or mobile phone apps to 10 bps I'd do it in a heartbeat. Perfect is the enemy of good enough.

Any kind of enforcement would already be a huge benefit over the status quo and make things too annoying for at least half of the attackers.

What is a losing battle? Security?

"Security" through throwing homework-level challenges at extension programmers? Yes.

Extensions. I agree with Santosh83, no extensions except ublock.

I'd be fine with uMatrix as basic browser feature. Barely use anything else ever.

I mean...

How many extensions need to send unique outbound data? Prior to publishing in store, browser maker can look at schema and query whether it makes sense in context of extension. If the submitted schema is not tight enough, it can be rejected until it's tighter.

A lot needs to modify the DOM, and that would make it possible to include a <img src=x width=0>. Preventing this seems _very_ complex.

Last year several coworkers had installed a fake Postman Chrome extension that contained adware. We all reported it to Google, and on inspection others had left reviews to that effect, but Google took over six months to remove it.

Related question, What would you use a Postman Chrome Extension... for?

Rather than say just... use Postman?

I'm not disagreeing with the use, just wondering how they use it compared to Postman itself. I'm a n00b web dev, I just want to know how others work and why.

> Related question, What would you use a Postman Chrome Extension... for?

Postman started off as a Chrome Extension (ran in a chrome tab), and then became a Chrome App. The standalone apps for desktops came later. A lot of people use the chrome extension because it's convenient.

Source: I worked at Postman until about a year ago.

Native Postman is garbage in that it doesn't even support authenticated corp proxies.

I think I knew that once, but only started playing with Postman after it was a standalone application.

I believe the extension can be used in conjunction with the app to let the app use the cookies in your browser session, but to be honest, I've only seen others do it, and it was back in the day when Postman was just a "Chrome App" and not a detached application. Maybe that functionality exists in the new Postman app without the chrome extension.

I can't speak to Postman specifically, because I barely use it enough for it to make a difference. But in a more general sense, I tend to prefer <thing> in a browser over <thing> but in its own window. It means one fewer program filling my taskbar.

I can see that, but for me it's more:

- Dork with code/ routes in one window and/or dorking around with the front end code.

- Postman (the stand alone program) in another window to check what the return from the server really is or what the API is doing now.

So I've got it on it's on dedicated space (not all the time but often enough).

I very rarely have only a single browser window, and I'm not coding in a browser anyway, so that's not actually a huge factor in the decision. I agree with using windows to easily switch between tweak and test.

A friend of mine works for a large bank and isn't allowed to install desktop applications but has chrome installed so can 'sneak in' certain apps through browser extensions.

Eg. whatsapp, 1password

The Chrome Extension has the 'interceptor' feature which listens to ALL network requests made in the browser on a particular page and pipes it to the Postman App. This was very neat for me to debug my requests.

However, the standalone app doesn't have that feature (yet). So I will continue to use the Chrome Extension version until they have that feature available in the Standalone app.

For some idiotic reason the native version of Postman does not support authentication against corp proxies. As a result, when using it at work, behind a corp proxy that requires authentication, the native postman doesn't work!

The only version that works is the Chrome App Postman, which simply uses the Chrome network stack, which obviously works behind the proxy.

Boooo to Postman.

"What would you use a Postman Chrome Extension... for"

If I'm not mistaken, it started as a browser extension.

This is terrifying - Postman is very widely used.

Mozilla and Google should look at the top extensions and implement the popular ones as official extensions(or for some may be worth building them inside the browser), Reader mode is now part of some browsers so you do not need an extensions.

Mozilla could implement ad blocking extensions and give the user the option to use custom block list(so Mozilla is not accused of becoming a gate keeper).

Or maybe not: the Firefox version of the pocket extension is badly baked (you have to wait for the adding animation to disappear otherwise it gets cancelled. The previous version was "click and it's added in the background").

The Chrome version is more usable.

The great firefox redesign at the beginning of the century was about slimming down Mozilla the navigator and let extensions extend the browser. Is that the pendulum going back and forth ?

I think the minimum browser changes over time, but without adding and removing features it's hard to discover what that minimum is.

For example, some form of add or at least popup blocking should be included, but that does not preclude useful addons from customizing the experience.

I was suggestion official extensions, so you could not install or disable them, the reason I mentioned some could be put directly in the browser is if the same functionality can't be done by a pure extension or it would be much efficient directly in the browser.

I completely agree that you should be able to disable/unintall Mozilla extensions and replace them if you want with different ones(maybe you know of a better reader mode or a better ad blocker extension)

In fact this extension may not even be installed , just be part of Mozilla code base so any update will be reviewed

Through reading bug reports, I found out that the FF reviewers for the decentraleyes extension have a custom script to check that all copied scripts are actually identical to the CDN versions. I found that step in the review interesting and positive.

Why are Mozilla and Google the only poeple you trust to maintain extensions? Why don't you or I implement the popular extensions in a user-respecting way?

I don't want to offend the extension creators, I want to option to uninstall an official extension and put my own or a community one but IMO there are reasons to trust Mozilla then a stranger or a community. There were cases where popular extensions were bought and updated with malicious code, because of that I make sure I open bank or paypal website in a private window with extensions blocked but will a regular user know to do this ?

One could always stick to open-source extensions... if Google didn't make developer mode such a painful experience.

I don't think it is about who you trust but who can resource the amount of work required to keep it going? There are thousands of browser extensions, including all of their updates etc.

No, not secure enough. Remember ActiveX? The security policy of ActiveX was, the browser asks the user if he wants to install the ActiveX. If the user says yes, anything that happens afterwards is the users responsibility.

What you're suggesting is not that much better. Do you expect your grandma to be able to review the permission list for the browser extension?

Browser extensions are the modern day ActiveX. Yes, lots of them are very useful. But you could say the same about ActiveX controls too.

> policy of ActiveX was, the browser asks the user

Therein lies the problem. The entire industry has, ever since windows 3.1 (!), done their best to condition users with a single and highly destructive mindset:

"Press OK to make the annoying window go away."

The only way around this, and I'm not saying this lightly, would be to make the pushers and vendors CRIMINALLY AND PERSONALLY liable for the damage they cause to end users. Once we see the third or fourth offender nailed through their genitals, head down, on the town hall wall, the message will start to get through.

A lot of it happens in countries other than country of origin... and extradition is difficult and often expensive. Though, I wouldn't mind seeing the people that write rogue extensions that harm people get doxed.

No, I expect browser staff/interested technical parties to review extension before publication. Why would your grandma review it?

> 1) Every extension has to declare up front what urls it needs to communicate to.

I believe Firefox has this. The rest are great ideas. Would love to see a way to log these.

The explanation of what each permission really does and why they are necessary are traditionally horrible, so even I, having developed a plugin once, have no clue what is reasonable and what is not.

Like realizing that the "flashlight app" needs camera permissions because the light is tethered to the camera permission.

Bookmarking extensions need access to all webpages though. Only #3 would potentially show something suspicious.

A bookmarking extension can use the activeTab permission, which gives them access only when the user clicks on the extension button and only to the current tab: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

That's a great feature. Maybe not something people would want on a personal shopper extension though, which is another type of extension that might have done the sraping. It's more convenient to just have a price alert activate when I look at an item on Amazon than having to push a button every time.

Technically you can do that just with the webNavigation (allows you to see the URLs loaded) and the notifications (to alert the user).

This shouldn’t require arbitrary network access, though. You can read the content of pages and have access to browsing history locally.

Right, if someone is using Facebook Messenger in a browser, the message history could be scraped.

Then every extension will require access to Facebook so that the user can share something there.

What I actually need is the ability to deny / revoke access to particular URLs

The image on the page doesn't not have the, "Allow on all but block access on this site" functionality.

For Android, it is extremely easy to do that via an app called NoRoot Firewall. What it does is it creates a VPN server on localhost and routes all traffic to that. When an app wants to connect to a host, it shows a notification which when clicked, you can see the URL/ip and the app name. Then, you decide whether you accept the connection or not. It supports permanent blacklisting and whitelisting as well.

Since a browser like Opera can integrate a proprietary VPN without messing with OS network settings, doing the same on other browsers should be possible.

This notification method will get the Vista UAC treatment - approve all or demy all. Because it's annoying.

Have you used ever Kaspersky?

it actually doesn't because you can actually make a rule, and then the application will falollow it from that point on with no more notifications. The rule can include wild cards for parts of the hostname, or the IP address, or the port, or both

And you honestly think that is a workable solution for most people on the internet?

Nope. Just explaining how it works.

> 2) Every extension has to provide schema of any data it intends to send out of browser.

Just because I supplied a schema does not mean I'm not exfiltrating sensitive data, in a way that would not be obvious from the logs.

How many extensions _need_ to send data outbound? Before approving extensions for store/signing, the schema can be checked and if it's not tight enough - rejected.

Can browser extensions block other browser extensions from communicating with an outside URL (or outside URLs in a block list)?

Agreed, but #3 is adding another attack vector, and the implementation matters and could be complicated.

There was a browser addon (client-side) that was encrypting facebook messages but facebook banned it.

No using maths on messages! Just read more ads!

Rogue extensions are the Achilles Heels of browsers, yet the ramifications aren't understood by the average user, who happily installs all sorts off addons and extensions. Frankly I'm surprised more sensitive information hasn't already been stolen/harvested all these years. This is why I run my browser with no extensions with the sole exception of uBlock Origin.

I wouldn't object to extensions becoming paid and verified - that is, an expert review team doing a code / security review for each update of an extension. Either paid for by the authors, or done for free by e.g. Google because they have plenty of money and they are directly impacted if their platform releases a malicious extension.

The downside to this would be that this would still be possible to bypass if users are allowed to install “unverified” extensions, but removing this feature would lead to the downsides of the App Store namely Google having full control over what their browser supports. Them being an advertising company, there are whole classes of popular extensions that directly hurt their business.

Unverified extensions are also a bitch now... I can't just install all my own via open-source extensions without a painful experience now in chrome.

It's a mixed bag.

You have described what antivirus companies usually do with traditional software.

Antivirus companies do not have control over the primary distribution method of software.

>e.g. Google because they have plenty of money and they are directly impacted if their platform releases a malicious extension.

I have some foxes for rent, perhaps you could use them to guard your henhouse.

Google already guards the henhouse, ie, they control who can be listed on the Chrome Store.

The funny thing is that your sole exception is an extension that gets access to everything you look at.

And that’s only because it’s not in Google’s best interest to provide a framework that allows users to install ad blockers in a way where the extension doesn’t have access to the user’s browsing.

Safari’s content blocking framework provides an existence proof that it can be done. Extensions just give Safari a JSON file with regex expressions of content that should be blocked.

You should mostly just assume all the browser extensions have access to everything you look at. Most do. ;)

I'm similar to the parent comment but my sole extension is the EFF's Privacy Badger. Yes, I'm trusting the EFF with access to everything I view, but they are in turn, blocking tracking data from nearly everyone else.

I may soon drop Privacy Badger though, Firefox's built-in tracking protection has inched closer and closer to that tier.

An average user might not even know what a 'browser extension' is and what it can do. I think antivirus software should pay more attention to this kink of threat and block suspicious extensions.

Define suspicious. Have you ever even seen the number of requests that Chrome itself makes to the web, tons of unrecognisable URLS.

What happens when you change a feature on a proper extension? Submit a request to all the anti-virus vendors to whitelist it?

Browser extension, although super useful freak me out.

Its the operating system equivalent of a kernel driver, getting access to everything.

They lack transparency, updates can be sketchy and I dont ever know based on what I should make trust decisions (number of downloads, is it an individual or company, permissions,.. )

If I could purge some of my Facebook messages after a certain age, I think that would be great. When I downloaded my archive, I had circa-2006 messages with people who has since deactivated their accounts but their names were labeled "Facebook User."

This is a problem with almost any online 'space' - everything sticks around forever. You can go left from anyone's Facebook profile picture and see probably the first picture they uploaded to Facebook. Snapchat's USP was that it didn't (not publically) keep stuff around.

I think there's a happy middle ground somewhere were I can set an expiration time on anything I post to such a platform (e.g. Facebook/Twitter) so that it goes private after that time - e.g. a year. It wouldn't even harm the bottom line, since all the money is in new content, and I'd still have a private archive of photos if I ever wanted to download them again.

All this is moot for me since I don't use services like this at all, but I think there's an opportunity for a company to get this right.

Definitely is an opportunity I hope that they pursue. Looking back at my first private messages on the platform like 10+ years ago is just full of cringe.

So is reading your own journal. And yet people write them.

Despite privacy issues, I still think that things sticking around "forever" on the Internet is a good default. Link rot is already a huge problem when you're trying to reference something you read in the past, and that's without auto-expiry.

But people don’t tend to publish their life’s journals to every random person who recognizes their name in a list of “would you like to friend request X?”

mewe has this as an option on some of its stuff- disappearing posts.

You can manually delete conversation histories

Visit: https://www.facebook.com/messages/

Mouse over a conversation, click the cog, "This will permanently delete all conversation history [Cancel] [Delete] [Archive]."

But won't deny Facebook could make this easier/automated.

But does that delete it for both parties?

No, each party would have to opt to delete the history. Other platforms have the concept of private/temp conversations.

Facebook now has the concept of both private (i.e. e2e encrypted) and temporary conversations. The UI to access them is a big awkward to be sure.

That doesn't help the problem of old messages from before these existed. It's also not super helpful because the retention is no more than a day. Better I think would be like a year -- enough time that you're unlikely to want to refer back to it.

Facebook only support them for the Messenger app. You cannot start a temp' conversation from a PC or the web-site.

Were their messages still there, or was the content deleted?

I've seen this for messages from deleted/deactivated accounts. The text content was still there (!)

All the messages were there but the name was scrubbed off (so I could tell who it was by the message content, but it wasn't super obvious), I'm not sure if they deactivated or deleted.

Note that (according to the article) they claim to have 120mio accounts, the 81k are a sample posted online and verified by Digital Shadows.

For anyone else who read this before the coffee kicked in and thought "120mio" was the name of a startup or something:

Mio is an abbreviation for "millions" as a unit indicator in some financial markets, such as the German, Swiss, and Dutch markets. https://en.wikipedia.org/wiki/Mio

I think the headline is slightly misleading.

> [...] the data had probably been obtained through malicious browser extensions.

It appears to actually be hacked browsers, or compromised browsers for that matter.

Perhaps, but only slightly imho. To your average HN denizen, 'hacked' implies the account was completely compromised. To the wider world it might well include partial compromise and/or the communications to/from the account even if the attackers didn't gain total control. Which is what this appears to be.

My parents, for example, would not understand the difference.

>My parents, for example, would not understand the difference.

Nor should they be expected to, but the BBC should know the difference. Facebooks stock price could be hurt due to this reporting, even though it shouldn't. This could be seen as an attempt at manipulating the stock price of a public trade company. Of cause it's just incompetence, but still.

The average tech reporter for a public service broadcaster most likely does not know the difference. How often do you read mainstream tech reporting and find yourself complimenting the journalist on their insight and factual correctness?

Well... pretty much all the time. That doesn't mean it's okay if they potentially hurt people and companies financially.

You have to account for everything when evaluating a company, and that includes negative sentiment of the public about using an application. Even if the company didn't do anything wrong.

I would says is roughly the same as posting a news story about fuelling your car at Texaco destroys the cars engine, and that it's a Texaco issue, even if the truth is that someone just accidentally choose diesel, rather than petrol.

To me it places the blame in the wrong place. In this case Facebook doesn't seem to have done anything wrong.

Given the recent complete compromise of FaceBook security allowing stealing access tokens, this is not the only possibility.


Why aren't Facebook saying which extension caused this, and why aren't people being notified if their messages are leaked?

How does Facebook know what extensions were installed on the users browsers?

If someone makes money selling my messages - I want to know how!! I'll start selling them. Never thought this was a monetization possibility.

They are selling for $0.1 an account. I'll give you $0.1 for your messages.

> They are selling for $0.1 an account.

The important part is why it's 10 cents an account. Most of the accounts are worthless to them.

They are looking for the 1 in 10000 that is worth much more. Security, security, security...

Is there a way to check who is affected? Have I been owned style

Hopefully Facebook has reported the issue to Chrome and they will remove the extension. Maybe at that point you'll get a notification about an extension being blacklisted by your browser.

What makes you think it was a single extension? If I were doing this I'd probably create many extensions (with various ostensible purposes packaged along with the spyware) to cast a wider net.

It probably wasn't a single extension, but the article proposes bookmarking and personal shopper extensions as likely culprits.

If you've since uninstalled the extension or switched machine / browser, then that's no good for you.

> And the data had probably been obtained through malicious browser extensions.

Any reason we shouldn’t suspect a malicious mobile app?

We should also consider the possibility that this is related to the Facebook breach discovered in September, in which attackers got access tokens to 50 million accounts.


Anyone know if this also affects WhatsApp?

In a GDPR violation who gets the fines? Is it users? the EC? the member state?

In this case there might not be a GDPR violation. If the data is taken by compromised browsers, then the breach wouldn't exist within Facebook's control.

It's not clear to me from reading the GDPR whether companies are responsible for the loss of personal data outside of breaches in their security. E.g. is a successful phishing campaign against customers a data breach? If not at fault, do they have an obligation to alert customers specifically about the attack?

The fines are applied by the regulatory agency of the member state, so that depends on national jurisdiction, but it probably goes to the budget of that member state.

a breach is defined as

   ‘personal data breach’ means a breach of security leading to the accidental 
   or unlawful destruction, loss, alteration, unauthorised disclosure of, or 
   access to, personal data transmitted, stored or otherwise processed;
Given the definition, I think it's a bit hard to argue this isn't a breach. It's a breach of security leading to unauthorised disclosure or personal data.

Do you mean the money obtained from a fine?

> Facebook said its security had not been compromised.

I mean, that's demonstrably untrue.

That's clearly true here. It was the security of users' browsers that was compromised.

please demonstrate. this was a browser extension it had nothing to do w/ facebook security

If you've had enough of Facebook's negligence and like many others in recent months have closed your account, use this handy website to send them a GDPR request to make sure they delete all your personal data (disclosure, I'm one of the creators): https://opt-out.eu/?company=facebook.com#nav

Look, I hate Facebook as much as the next guy, but this breach was out of their control. Apparently it was a result of browser extensions harvesting the private information.

I'm curious to see why you think this is Facebook's negligence. There's little they can do to control a user's browser extensions.

You have a point, although we don't know the details of this attack (they haven't even disclosed the name of the extension) so I guess I'm biased against them in light of recent history. My comment was more general than this particular incident.

You have to be EU resident for that.

It's more complicated then this. The GDPR does not mention residency. According to some interpretations it's enough that you're located in the EU.

So I guess the data is now being shared across the border between security services and rightly so. The data and the story now have significantly more value to those services that bill the tax payer, and those that sell your attention using fear antagonising news media. So when an organisation demands you hand over your data, and it’s for your security, it’s not really, is it?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact