Facebook Libra? CYBR Weighs In.

A Problematic History

March 21, 2019
SECURITY FLAW

On Thursday, March 21st, 2019, Facebook announced that since 2012, hundreds of millions of user passwords were stored in plain text and accessible to more than 20,000 of the company’s employees. The announcement, made by Facebook’s VP of Engineering, was ironically titled “Keeping Passwords Secure.” As many as 600 million users may have been impacted. Data breaches caused the number of consumer records exposed to jump 126 percent in 2018 over 2017. Facebook’s latest announcement marks the continuation of this disturbing trend in information security, and is just the latest in a string of Facebook data breach and privacy issues.

September 28, 2018
HACKED

Facebook Inc. said it discovered a security breach earlier this week that affected almost 50 million accounts, the latest in a series of missteps that are undermining confidence in the company’s social network and business model. There was a loophole in Facebook’s code for a feature called “View As” that let people share what their account looks like to someone else. The vulnerability allowed hackers to steal tokens — digital keys that keep people logged into Facebook so they don’t need to re-enter passwords. Once logged in, the hackers could take control.

Between July 28, 2008 and September 22, 2015, there were five other major hacks or major disclosures of privacy information.

This track record alone suggests a pattern of poor cyber security. One would think that a single incident alone would prompt Facebook to take action and implement a defense-in-depth approach. But as is evidenced from the following CYBR conducted cyber security scan, we can see Facebook is another disaster waiting to happen.

CYBR’s Vulnerability Scan

CYBR’s Vulnerability Scan

CYBR’s corporate policy is never to share detailed reporting information as this potentially empowers the hacking community. That said, the report is not a very nice read.

The primary issues CYBR takes is that the majority of these vulnerabilities can be addressed by updating certificates and other “low hanging fruit” in the way of safeguards and countermeasures; however Facebook doesn’t. This either is due to ignorance or an “accepted” risk position the company takes. But an overall score of “66” or a “D” is inexcusable. Furthermore, showing a history of allowing hackers to exploit authentication and tokens does not instill confidence that potential Libra holders privacy data (including private keys) will be secured. If the keys are compromised, major financial theft is likely to occur.

CYBR is well aware of the Facebook bug bounty going on and has not submitted anything. We don’t do this for “bounties”. We are here to educate the community AND the companies on the collective web. CYBR will be happy to work with Facebook and share our wealth of information. But more importantly we are sharing it with YOU the community, because YOU are the ones at risk.

Conclusion

Summarized, Facebook needs to take a long hard look at its history of cyber security incidents and the damage done to its stakeholders because if the past is any predictive indicator, a Facebook cryptocurrency is currently a recipe for disaster.

Written by:

Shawn R. Key
CEO, CYBR
Cybrtoken.io
cybr@cybrtoken.io