Employees Challenged To Crack Facebook Security, Succeed (Updated)

Apparently Facebook noticed the slap down that the FTC gave Twitter in June because it “failed to prevent unauthorized administrative control of its system.” Shortly afterwards one of the senior engineers at Facebook responsible for SRE (site reliability engineering) challenged Facebook employees to try to compromise him and gain access to Facebook’s administrative system via information obtained from him.

They succeeded.

It took a couple of weeks though. Employees supposedly got in via his home WiFi network, says our source. The details aren’t entirely clear, and Facebook isn’t talking. What I’ve heard is that they were able to intercept data from his home network after capturing his WPA password by luring him into logging into a rogue WiFi SSID that appeared to be his own router. See here for some details on how easy this is to do.

Once his home network fell, the Facebook employees were able to monitor all his Internet activity and obtain clear text passwords, etc.

The Twitter hacks last year began with compromised personal email accounts and unfolded from there.

It’s absolutely a smart thing for Facebook to do this, and other companies should too. But if a security engineer at Facebook was compromised, even though he knew it was coming, imagine how trivial it would be for other people to get hit, too.

Now excuse me while I go camp out in Mark Zuckerberg’s back yard for a week or two and try to set up a rogue WiFi SSID. Wish me luck.

Update: Facebook engineer Pedram Keyani, who was behind the challenge, has responded in the comments. He says that the challenge actually demonstrates how secure Facebook is — while the team could access his account, they were unable to compromise Facebook’s administrative/corporate systems.

I’m the engineer who made the challenge and I want to clear up some
misunderstandings. First, we perform tests on the integrity and security of
our site all the time. Second, in this particular case, the challenge
demonstrated the effectiveness of Facebook’s security systems, not the
opposite, Despite months of work and hundreds of hours of effort by a team
of specialized security engineers, the team was NOT able to access
Facebook’s administrative or corporate systems. While they were able to
access my personal Facebook account, they were not able to use this
information to access any other account on Facebook. Finally, challenges
like this are a great way for us to apply our best thinking and skills to
identify risks to our systems. We think our efforts should give users
greater confidence in Facebook and its administrative systems, not less.