Facebook Announces More Data Woes, Google Announces New Chrome Security Measures

Oct 03, 2018


BEST PRACTICES SERIES

Facebook's data and security woes continue. Last Friday the company announced that an attack on its network led to a breach of 50 million users' personal information. According to the announcement from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Of course, this comes on the heels of months of discussion over the way users' data is used by third-party apps and Facebook's promises to do a better job of being transparent about its data practices.

While Facebook data are different from sensitive financial information related to credit cards or bank accounts, the data potentially contain a significant amount of personally identifiable information (PII) that can be pieced together to form a profile that can then be used fraudulently,” says Scott Grissom, VP of Product Leadership, Marketing, and Sales at LegalShield. “Depending on how much information a Facebook user included in their profile, this could include dates of birth, phone numbers, home addresses, maiden name, and of course information on with which people or groups the member associates.”

Facebook says it has fixed the vulnerability in question, and alerted law enforcement. Additionally, “we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”

But other tech giants are taking notice and tightening up their security and data protocols. For instance, as Engadget reported, “Many extensions request blanket access to your browsing data, but you'll soon have the option to whitelist the sites they can view and manipulate, or opt to grant an extension access to your current page with a click. That feature is included in Chrome 70, which is scheduled to arrive later this month and includes other privacy-focused updates.

Mike Bittner, digital security and operations manager of The Media Trust says, “Google’s decision to tighten their security policies for their Chrome Store is an important step in the right direction. Too often, developers pay little or no attention to security during the development process. In the post-GDPR world, these security lapses can cost all parties along the supply chain that process consumer data. Google’s five new rules are a good faith effort to reduce those risks, they but do not get developers off the security hook. That’s because even if extensions do not use obfuscated code or are subject to closer scrutiny by Google, attacks can spread through poorly secured extensions, and phishing attacks can bypass two-factor authentication. Another important point is that Chrome users should turn on 'auto updates' to ensure they benefit from Chrome 70’s improved security as soon as it’s available.”


Related Articles

Tiny made a series of announcements, beginning with TinyMCE 5, available now as a developer preview. The company says Tiny 5 introduces a sleek and refreshed UI rebuilt with modern CSS best practices. TinyMCE is now easier to customize, while new APIs make it more straightforward to create custom dialogs.