Breach: Facebook Exposes Personal Photos

Facebook disclosed a new breach that (according to their disclosure) “may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers.” It’s unclear how many European users were affected, but this is a clear GDPR violation even when we don’t consider the potential embarrassment of personal photos being presented to the wrong people.

While Facebook hasn’t made it entirely clear how this happened, the main thing to keep in mind is how this underscores the complexity of the API-driven microservice world.  According to Facebook, this breach was limited to apps that had authorized access a specific photo API, which is separate from the general newsfeed API.  This implies that the photo service has different permissions than the newsfeed service, even though they are accessing the same data.

Most security models stop traffic at some sort of an API gateway, sort of like a border crossing where you show your passport and they check a computer for criminal records or other reasons to keep you out.  Once you’re in, the service itself usually trusts that all the security checks were done at the border (or the Edge as we say in the API security world).

This breach illustrates the folly of that kind of architecture. Personal photos should not be exposed to anyone other than the person. The combination of User+Service should be a specific key, but we need to get even more granular with User+Service+Datapoint, so that Me+Photos+20181213-img.png can’t be accessed with a key that represents You+Photos+20181213-img.png.

That border check is still really important, but just as you lock the door to your house, an app that gets into the data center shouldn’t be able to accidentally wander into the wrong place because it wasn’t locked down. ..Read More..

Leave a Reply

Your email address will not be published.