A detailed anatomy of the hack that compromised Facebook's 50 million user breach

Originally published at: https://boingboing.net/2018/09/29/stolen-access-tokens.html


Now I’m wondering how the analytics tools they provide to their advertisers could be exploited. If they were this sloppy with a user-facing feature…


That didn’t sound very white hat. Cancelled now.


So when Facebook loses your private information to any clown with a computer, to use for any purpose whatsoever, that’s hacking.

But when Facebook sells all your private information to anyone with money for any purpose whatsoever, that’s called their business model?


Clearly we need a new term for Fuckbook’s operations/modus operandi: ‘hacking model’

1 Like

Supposedly trust in facebook is at an all time low and the hashtag #deletefacebook trends pretty well but are their numbers dropping significantly? I highly doubt it but i have no statistics to back that up. It seems to me either people don’t know, don’t care or care but simply cannot conceive of managing without it so here we are i guess. ¯\_(ツ)_/¯

FB is very low stakes in a lot of ways. “Yeah, I have some pictures up, and I’m part of a bunch of meme groups… what are they gonna steal?”

And in a sense, if that’s truly all you do on Facebook… then it’s a relatively low-risk proposition. A lot of the issues around FB are (and I use this word a lot and I feel like no one ever really hears it for what I mean by it) systemic. Individual users deleting Facebook make no difference because the group behaviors and systems the make FB a problem don’t magically disappear. This is the case for a lot of things. This is why you need better systems and not more individuals to take localized action. Whether those systems are governmental (protection of election processes), or social (building a better culture of privacy).

And before someone says it, because people always seem to think I’ve never heard it: Yes, systemic change begins with individual actions–only when those actions are effectively geared towards systemic change. In other words, wanting your actions to have an impact and actually having an impact are different things.


The stakes are the tracking scripts + giving away your social graph.

Ask the average person to parse what that even means.

just because they don’t understand the stakes doesn’t mean that they are, as you asserted “low stakes” :slight_smile:


Seems about right. I used to develop software for a company in their league, and one of the more well known events of my career was when I made a change to an api which caused existing code that used the api in a way inconsistent with the specs (and common sense) to expose a security hole where a particular password that could be gleaned from inspecting the source code would give unlimited access to any account. It was amazing how quickly a white hat discovered the vulnerability. So two things went wrong on our end and whoever was supposed to be limiting access to our source code messed up. Three things go wrong and the jet airliner goes down.


Apologies for the long-ass rambling response, but I feel like there’s still room on the Internet for yet another self-indulgent rant. (I know, hold onto your eyeballs, they might roll away.)

On an individual level… the stakes are low. It sort of depends on how you define something like harm. I don’t want to get overly philosophical here, harm is the subjective experience of pain, or at very least, it’s phenomenological in nature (because who doesn’t like thinking like a bunch of dead Germans?)

Am I afraid of dying because of Facebook? Am I decidedly losing money? Is my life measurably worse in a real sense? I’m not talking about the weird social anxiety and paranoia that people experience on average. I’m not talking about how advertisers track you and use location information to influence pricing in our area. I’m talking about the kind of real measurable harm that makes you go, “I’m getting a raw deal and I can see it, feel it, and taste it.”

Again, in the aggregate, the consequences are real. To the individual, they’re minor, if they’re even perceptible. It’s not even like smoking cigarettes, not exercising, or having bad eating habits. It’s not even a slow burn. You can die after a lifetime of using social media and Facebook will never seem to have “caught up” with you. The stakes seem low to individuals because functionally they are low to individuals. Again, I’m going to use this word: The issues with FB are systemic more than they are individualized.

And don’t tell me about what can potentially happen to individuals. Horror stories do not line up with most people’s direct experience with FB.

Incidentally and relatedly, I’ve been browsing Richard Stallman’s website today, and two things immediately jump out at me:

  1. He has a considered, thoughtful, valid view of the world.
  2. Very few people live as he does because he has a broader consequentialist perspective than most people have the energy for. He feels real harm in using a cellphone or a shopper’s rewards card. And you get the sense that he’s probably right, but you or I do not perceive personal harm, because in a very real sense–there is no personal harm.

You get a similar issue with antivaxxers. Their perception of harm is deeply related to the fact that they often aren’t directly harmed in societies with strong herd immunity. They might get a non-threatening bout of measles and a person might blow an afternoon arguing politics on Facebook. So, in one regard they have been harmed, but in real sense, they lack the perception of harm that reifies that harm. “C’est la vie,” they say to themselves and when you tell them that FB or non-vaccination is harming them, and it’s really high stakes, they look at you like you have two heads because you’re applying the seriousness of a global problem in a way that is dramatically out of accord with the actual harm they’ve experienced. Because in their subjective experience (which is what matters when you define “stakes” because stakes are a function of worth) they haven’t experienced harm at all. Arguing Russian memes on Facebook is just life, measles is just a childhood illness.

From the other side of it, I rarely use Microsoft Windows anymore. I do most of my computing on Linux. (Don’t get the wrong idea: Despite referencing Stallman, I’m not a true FOSS acolyte, I simply admire him as the weird uncle I want to grow up to be.)
The reason I don’t use MSW anymore is that ever since Windows 10, I perceive a very real sense of loss of privacy. Cortana is too helpful, MS wants to help advertisers cater to me, the environment seems oppressive, and I feel dirty using it. The reality is of course that using MSW10 isn’t that bad, but my perception of harm is the real harm. At this risk of overdramatizing what is happening, I feel a kind of psychic pain. Some people feel that using Facebook because they’ve internalized the academic knowledge they have of FB–but that doesn’t mean that other users experience the same harm.

One more example and I’ll end this interminable thoughtwank: A smoker with lung terminal lung cancer who doesn’t know that they have lung cancer and has yet to experience adverse symptoms, who dies in a car crash… hasn’t suffered the harm of years of smoking. The potential for harm is there, but the consequences haven’t actually happened. A smoker who dies in a car crash but knows they have a terminal cancer is very much harmed by their smoking before they end up in a car crash. Harm is synonymous with the experience of pain because what constitutes harm is a function how an experience is weighed subjectively. Even broad harm to society is subjective, but at least we can largely agree on and demonstrate how FB harms society. It’s a lot harder to tease out how it harms individuals. Even a data breach like this one may prove to affect relatively few users in a measurable way.

I understand if people disagree, and I absolutely understand if my presentation was tiresome, but I hope you got something out of it.


Looking for aeromorphs to outperform Putin appointees in the next election. But inclusive plural democracy would also please you know, someone.

Pretty good for Shinzo Abe blogging from Trump’s Penthouse. I’ll have to check a bunch of like, ad network graphs now to decide whether people feeling pain and people unconsciously using the Fist of Death [apology for weird Dilbert reference usage] exactly as intended are graph comorphs.

1 Like


I see we have the same favorite Dilbert cartoon. I knew of it before I started working on ATC, and I was unsurprised to see copies of it stuck up around the office.

Of course, Wally knows where the bugs are, which puts him a step ahead of reality.

1 Like

Don’t know the reference… Google didn’t help. Although I did find an old Bruce Lee movie that I haven’t seen before.

Its the catch phrase of Alice, a Dilbert character. Alice is one of the most skilled of Dilbert’s co-workers. A woman who can really take care of herself.



Shit. Lots of women are being attacked in Brazil right now for opposing Bolsonaro, there was a concerted bot spam action inside groups yesterday before the protests as means of intimidating people.

Cory, this may put the lives of women in risk here. We are sitting in a gunpowder barrel until election day. These guys are terrorists.

1 Like