A Facebook Bug Exposed Anonymous Admins of Pages

Credit to Author: Lily Hay Newman| Date: Fri, 10 Jan 2020 23:58:18 +0000

A bad code update allowed anyone to easily reveal which accounts posted to Facebook Pages—including celebrities and politicians—for several hours. 

Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one.

All software has flaws, and Facebook quickly pushed a fix for this one—but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves.

"We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history," Facebook said in a statement. "We are grateful to the security researcher who alerted us to this issue."

Facebook says the bug was the result of a code update that it pushed Thursday evening. It's not something most people would have encountered on their own, since it took navigating to a Page, viewing an edit history, and realizing that there shouldn't be a name and profile picture assigned to edits to exploit it. Still, despite the Friday morning fix, screenshots circulated on 4chan, Imgur, and social media appearing to show the accounts behind the official Facebook Pages of the pseudonymous artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and rapper Snoop Dogg, among others.

Facebook points out that no information beyond a name and public profile link were available, but that information isn't supposed to appear in the edit history at all. And for people, say, running anti-regime Pages under a repressive government, making even that much information public is plenty alarming.

"For sensitive Pages, I would not rule out that some people may be feeling that they are in danger due to what happened today," says Lukasz Olejnik, an independent privacy adviser and research associate at Oxford University's Center for Technology and Global Affairs. "Using fake accounts to run Pages would have been a good idea. Some could see it as a paranoid way of hiding, but it's not."

After a series of privacy and security gaffes, Facebook has focused on building out its protections, and has also been steadily expanding its bug bounty, which encourages researchers—like the person who found the edit history bug—to submit security flaws for potential rewards. Ambitious improvements like these take time—and no amount of added security can change the fundamental risks that go with stockpiling the data of 2.5 billion people.

"People who run sensitive Pages from their own Facebook should now consider that their identity may be known," Olejnik says. "While mistakes happen, this one is unexpected."

https://www.wired.com/category/security/feed/