Home / News / Software News / Facebook Admits to Profile Master Password

Facebook Admits to Profile Master Password

Gordon Kelly


Facebook Admits to Profile Master Password

Here's news to give the more paranoid members of society an early morning heart attack...

In an interesting interview with The Rumpus, an anonymous Facebook employee has revealed that for a long time the site had a master password which could access any profile stored on the site regardless of its privacy settings:

"Employee: I’m not sure when exactly it was deprecated, but we did have a master password at one point where you could type in any user’s user ID, and then the password. I’m not going to give you the exact password, but with upper and lower case, symbols, numbers, all of the above, it spelled out ‘Chuck Norris,’ more or less. It was pretty fantastic.

Rumpus: This was accessible by any Facebook employee?

Employee: Technically, yes. But it was pretty much limited to the original engineers, who were basically the only people who knew about it. It wasn’t as if random people in Human Resources were using this password to log into profiles. It was made and designed for engineering reasons. But it was there, and any employee could find it if they knew where to look. I should also say that it was only available internally. If I were to log in from a high school or library, I couldn’t use it. You had to be in the Facebook office, using the Facebook ISP."

So what is the situation these days?

"Employee: ...we’ve cracked down on this lately, but it has been replaced by a pretty cool tool. If I visited your profile, for example, on our closed network, there’s a ‘switch login’ button. I literally just click it, explain why I’m logging in as you, click ‘OK,’ and I’m you. You can do it as long as you have an explanation, because you’d better be able to back it up. For example, if you’re investigating a compromised account, you have to actually be able to log into that account.

Rumpus: Are your managers really on your ass about it every time you log in as someone else?

Employee: No, but if it comes up, you’d better be able to justify it. Or you will be fired."

As you might expect many Internet sites have leapt on this and cried blue murder (pun very much intended), but I'd advise calmness and a healthy dose of 'meh'.

The majority of websites store the password you give them, whether encrypted or not, and 1. It does make a certain amount of sense to have a fail safe in place (at least initially) while a site is evolving, and 2. If you had published data to your Facebook profile so sensitive that you burst into hysterics at the idea of a Facebook employee viewing it then you really need to reconsider a) what you post on there and b) that decision to stop taking your meds...


Rumpus interview

comments powered by Disqus