Home / News / Software News / Facebook Admits to Profile Master Password

Facebook Admits to Profile Master Password

Gordon Kelly

by

Facebook Admits to Profile Master Password

Here's news to give the more paranoid members of society an early morning heart attack...

In an interesting interview with The Rumpus, an anonymous Facebook employee has revealed that for a long time the site had a master password which could access any profile stored on the site regardless of its privacy settings:

"Employee: I’m not sure when exactly it was deprecated, but we did have a master password at one point where you could type in any user’s user ID, and then the password. I’m not going to give you the exact password, but with upper and lower case, symbols, numbers, all of the above, it spelled out ‘Chuck Norris,’ more or less. It was pretty fantastic.

Rumpus: This was accessible by any Facebook employee?

Employee: Technically, yes. But it was pretty much limited to the original engineers, who were basically the only people who knew about it. It wasn’t as if random people in Human Resources were using this password to log into profiles. It was made and designed for engineering reasons. But it was there, and any employee could find it if they knew where to look. I should also say that it was only available internally. If I were to log in from a high school or library, I couldn’t use it. You had to be in the Facebook office, using the Facebook ISP."

So what is the situation these days?

"Employee: ...we’ve cracked down on this lately, but it has been replaced by a pretty cool tool. If I visited your profile, for example, on our closed network, there’s a ‘switch login’ button. I literally just click it, explain why I’m logging in as you, click ‘OK,’ and I’m you. You can do it as long as you have an explanation, because you’d better be able to back it up. For example, if you’re investigating a compromised account, you have to actually be able to log into that account.

Rumpus: Are your managers really on your ass about it every time you log in as someone else?

Employee: No, but if it comes up, you’d better be able to justify it. Or you will be fired."

As you might expect many Internet sites have leapt on this and cried blue murder (pun very much intended), but I'd advise calmness and a healthy dose of 'meh'.

The majority of websites store the password you give them, whether encrypted or not, and 1. It does make a certain amount of sense to have a fail safe in place (at least initially) while a site is evolving, and 2. If you had published data to your Facebook profile so sensitive that you burst into hysterics at the idea of a Facebook employee viewing it then you really need to reconsider a) what you post on there and b) that decision to stop taking your meds...

Link:

Rumpus interview

CodeMonkey

January 12, 2010, 5:07 pm

'Meh'..





well, you did ask....

Gordon394

January 12, 2010, 5:11 pm

@CodeMonkey - agreed!

Rich 42c5

January 12, 2010, 5:12 pm

sorry but i think the whole article is fabricated...

Gordon394

January 12, 2010, 5:22 pm

@rich - no need to be sorry, nothing to do with us. We shall see...

kdot

January 12, 2010, 5:34 pm

CodeMonkey beat me to it, my thoughts exactly.





Is Rich staff? The reply doesnt seem like he is.. *hints at a highlighted name*

Hugo

January 12, 2010, 5:57 pm

Rich is our resident coder - without him we are nothing (and vice versa).





I agree with his sentiment; there's nothing to suggest the original article is anything other than complete nonsense. Why would Facebook admins/staff need a "master password" to log into accounts? There are many far easier, far less unrealistic ways to do that. The "Chuck Norris" reference cinched is for me - FAKE!

DrDark

January 12, 2010, 6:28 pm

Now I'm worried that @Rich has my TR password!





:P

Robovski

January 12, 2010, 6:46 pm

Sounds fake. That said, it's like discovering that bank employees can access your bank account. Of course they can! They are in the bank!

ChrisC

January 12, 2010, 10:49 pm

I'd be more surprised if you told me facebook did not have access to all of the info stored on their servers. Surely any network admin needs the facility to log in as any user for engineering reasons.





I really can't see why this is such a big deal, whether it's fake or not!!

Stuea4

January 13, 2010, 3:02 am

I laugh at the outrage that this has spawned. Of course Facebook staff can see your profile. I'm sure there's probably something in the T&Cs stating such when you sign up too. At least they have a system of accountability in place.





Compare this to vBulletin boards for a moment. I'm an admin on a couple, I can log in as any user at the click of a button and read anything about them. I can also post messages and send PMs as that user. I've even seen PMs containing people's bank details (occasionally we have a problem in the Classifieds section and I need to read up on what's happened). For me there is ZERO accountability, I have nobody to answer to except the law. At least Facebook staff are checked up on by the company.

comments powered by Disqus