back to article Facebook is one bad Chrome extension away from another Cambridge Analytica scandal

Multiple Chrome browser extensions make use of a session token for Meta's Facebook that grants access to signed-in users' social network data in a way that violates the company's policies and leaves users open to potential privacy violations. Security researcher Zach Edwards last week noted that Brave had blocked a Chrome …

  1. Pascal Monett Silver badge

    "VP of Integrity at Meta"

    The rational universe has just exploded.

    We're all living in the Matrix now.

    1. ShadowSystems Silver badge

      Re: "VP of Integrity at Meta"

      I thought it was a joke & nearly choked on my drink as the laughter bubbled up to my lips, but then realized they were _Serious_ about the job title & can only blink in disbelief.

      *Starts handing out pints of MindBleach*

      Drink up, it's Thursday & nobody ever gets the hang of those...

      1. Anonymous Coward
        Anonymous Coward

        Re: "VP of Integrity at Meta"

        Same here. I need another keyboard :)

        1. cyberdemon Silver badge

          Re: "VP of Integrity at Meta"

          ---> see icon

          It reads a bit like how Orwell explained the government departments in 1984

          The Ministry of Love, is responsible for hate

          The Ministry of Truth, is responsible for lies

          The Ministry of Peace, is responsible for war

          The VP of Integrity, is responsible for ... Corruption?

    2. Anonymous Coward
      Anonymous Coward

      Re: "VP of Integrity at Meta"

      I see a job that Boris Johnson could fail upwards to. He wouldn't even be the first UK prime minister to get a senior role at Facebook, I'm sure Nick Clegg can show him around. "And here is the fridge..."

    3. SundogUK Silver badge

      Re: "VP of Integrity at Meta"

      The fact they need one tells you all you need to know.

    4. CrazyOldCatMan Silver badge

      Re: "VP of Integrity at Meta"

      It's either a really, really quiet part-time job - or a full-time one in ensuring that all traces of integrity are expunged before they can take root..

  2. b0llchit Silver badge

    Deflect and play down

    The token, we're told, is not the problem. Rather browser extensions allow users to automate Facebook activities.


    Even so, abuse of these sorts of tokens looks likely to continue because Meta says they have legitimate use cases...

    They are saying: a) not our fault, b) we don't really care and c) we need this. Therefore, we are not going to do anything.

    That is exactly as you would expect. The users are of no real interest. Only the user's data is of interest. If that can be abused, ah well, that is a minute side effect. The motto is "we'll do nothing as long as we get more money than it costs".

    1. Fred Daggy Bronze badge

      Re: Deflect and play down

      It does rather sound like the same trick god pulled when he put the apple in the Garden of Eden and said "Don't eat that".

      Never heard of the Flying Spaghetti Monster pulling that crap. (Bless his/her/indeterminate noodly appendage)

      1. badflorist

        Re: Deflect and play down

        Or like throwing your wallet into the street and yelling "Mine!" as you walk away.

        The incompetence of Mark Zuckerberg is outstanding. The fact that Mark Zuckerberg calls the users of Facebook "dumb fucks" is ironic as he's clearly a user himself.

      2. b0llchit Silver badge

        Re: Deflect and play down

        That would be equating "facebook" with "god"... Hm, that opens up for some interesting thoughts...

        (see icon, for both)

    2. Stork Silver badge

      Re: Deflect and play down

      Why would it worry Meta? Did the Cambridge Analytica story actually do them that much harm? As in limiting revenue I mean.

    3. unimaginative Bronze badge

      Re: Deflect and play down

      Why is it their fault? If you use a browser extension it can view your data.

      Do you really want FB to limit what you can do in the browser?

      Essentially a malicious browser extension can siphon off data. What a surprise!

    4. Robert Helpmann??

      Re: Deflect and play down

      As part of that deal, Facebook committed to limiting third-party access to user data.

      Unless they get paid for it, in which case profit.

      On a personal note, I recently posted to FB for the first time in several years. It was a quick note about a Magritte print I had never seen before. I can only guess at the consternation this caused the algorithms Meta employs to track users. If they can make a profit off that, more power to them.

  3. ShadowSystems Silver badge

    I wonder what would happen if...

    Someone combined various exploits, zero day flaws, and all the other security issues to gain illegal access to FB's data servers, upload a worm that replicated itself to all their active & passive data storeage resources, then all went off in a coordinated attack to destroy every last bit & byte of archive, current, & future data.

    Would FB implode like a balloon suddenly developing a black hole inside, or would it explode like the Big Bang?

    I'd be willing to provide the popcorn while watching it happen... =-J

    *Inserts a giant, 99 point, neon, blinking, scrolling marquis, bold, underlined, & itallicized sarcasm tag*

    1. Doctor Syntax Silver badge

      Re: I wonder what would happen if...

      "Would FB implode like a balloon suddenly developing a black hole inside, or would it explode like the Big Bang?"

      I've no idea but I'm not going to stop you if you want to try. It's the only way to find out.

    2. Anonymous Coward
      Anonymous Coward

      Re: I wonder what would happen if...

      I think the best way to approach this is not to be deleting data as that would get noticed quite quickly and can probably be restored from replication sites and backups.

      The best way is probably for a worm to quietly make minor changes that reduce the value of the data. Find users with more than a hundred friends and add a few random people and unfriend some others. Find people that have 'liked' hundreds of brands and 'unlike' a few of those but replace them with random others. Find people that have lived in more than five places according to their profile and add another some way back. They probably wouldn't notice.

      It's all about tainting the data and throwing the algorithms off. Ultimately you want their profiling to become less accurate because the accurate profiling is FB's main source of income.

      That's also why I'd never recommend to just delete your FB profile, I'd spend some time tainting the data first. First you change a few letters in your name (FB appears less strict on the "real name policy" nowadays as they are haemorrhaging enough users as it is), perhaps one letter a week. Then slowly, a couple a day, unfriend contacts and unlike brands, films, bands etc. Perhaps replace them with other random ones. After a month or so you "move" to Ecuador/Laos/Burundi and start connecting with local people there, like local bands, follow local news, etc. Then change your language settings to the local language of your new "home". Let that simmer for a bit, accept suggestions for local bands or news sites to follow, unfriend a couple more people from your old country. Two months in and your profile and what FB "knows" about you has changed significantly. Only then close your account.

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder what would happen if...

        Well, that SOUNDS like a plan. LOL

  4. Warm Braw Silver badge

    The token, we're told, is not the problem

    It's not quite the same argument as claiming "View Source" makes you a hacker, but it comes close.

    If the browser environment makes it possible for legitimately- and illegitimately-acquired access tokens to be combined to achieve unauthorised access, then you shouldn't be issuing tokens that can easily be acquired illegitimately.

    As for "legitimate use cases", I find myself struggling to imagine what they might be for Facebook as a whole. I suppose it keeps Nick Clegg out of government but it would be difficult to justify on that basis alone.

    1. SundogUK Silver badge

      Re: The token, we're told, is not the problem

      "I suppose it keeps Nick Clegg out of government but it would be difficult to justify on that basis alone."

      Oh, I don't know...

    2. Charles 9 Silver badge

      Re: The token, we're told, is not the problem

      Ever thought it might be a "dual use" problem? You know, like knives...?

  5. Jamesit

    "Multiple Chrome browser extensions make use of a session token for Meta's Facebook that grants access to signed-in users' social network data in a way that violates the company's policies and leaves users open to potential privacy violations."

    I thought privacy was violated by using Facebook.

  6. Steve Davies 3 Silver badge

    Facebook is the new Borg

    and I refuse to use their new name just like I do with Google.

    In the words of an old song,

    They Want It All by The Byrds

    They want it all, they want it now

    They want to get it and they don't care how

    They want it all, they want it now

    How prophetic they were.

    Suck on this Zuck -> see icon

  7. Brewster's Angle Grinder Silver badge

    There should be no token available without the user's explicit consent

    You can put a lock on your door. Or you can not bother and report anybody who harmlessly wanders through your property to the police. But don't then whine that the police have better things to do than play whack-a-mole with everyone who decides to visit your property.

  8. FuzzyTheBear

    Chrome .. need we say more ?

    Chrome is ground up to violate ones privacy and rape as much data as it can for the benefit of Google. Is it any surprise that all of a sudden the whole swiss cheese leaks all over the place ? Think about it. Chrome is engineered ground up not to respect privacy but rake data to it's servers. So using chrome is kind of silly if you want your privacy. In fact , i don't trust a single browser to respect my data and my privacy on the internet. Everything downwind is to be expected and if it blows up in the user's faces and in the company's servers , put the finger where it hurts : Google. If anyone's responsible for the mess it's them. They allow by design the rape of as much data as can be done. Damn the users.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chrome .. need we say more ?

      Yes, Chrome, the browser that harvests your data even when you're in 'incognito mode'. Incognito to others perhaps but not to Google.

      1. Anonymous Coward
        Anonymous Coward

        Re: Chrome .. need we say more ?

        Yet there is a big groundswell in the use of Chrome in the WordPress development community. Several of them who are in my local WP user group seems oblivious to the dangers of it. Several of the tools that you use to measure WP site performance only play ball when run from Chrome. Some are even hosted by Google.

        My firewall refuses to let Chrome phone home. That is the least I can do in the fight against Google Spying on its users.

        The same goes for Facebook. All blocked at my firewall. Anyone who says, follow me on FB gets told politely that I won't because I don't use it and never will.

        Yes, my resistance is probably futile and that some gubbermint will pass a law making it mandatory for everyone to be on their social media platform.... such as 'Truth Social' perhaps?

  9. Mike 137 Silver badge

    The law of the wild gone wild

    Two hyenas fighting over the same kill. Unfortunately, we're the kill, whether we use farcebook or gooooooogle or we don't. Legislation is long overdue, but unfortunately the politicians are too careful of their future board appointments to act for the common good. Indeed the recent UK proposals on revised privacy legislation do nothing other than weaken its protections.

  10. marcellothearcane
    Paris Hilton

    Did I read that correctly?

    You use the Facebook "view as" feature, and get to see other people's access tokens?

    1. unimaginative Bronze badge

      Re: Did I read that correctly?

      As far as I understand you get to see your own, but the browser extension can read it.

  11. Anonymous Coward
    Anonymous Coward

    Scandal? What Scandal?

    Everything went exactly according to plan. Winner, winner. Chicken dinner!

  12. msobkow Silver badge

    Facebook: for when security isn't even an afterthought when profits are involved...

  13. Anonymous Coward
    Anonymous Coward

    LOC is a symptom, not the problem

    "Meta's spokesperson said [..] If the token has not been transmitted to the extension developer's server, as appears to be the case with the L.O.C. extension, then uninstalling the extension will also cause the token to expire"

    So what? LOC isn't the main issue (and probably isn't malicious). The problem is what it's exposed, and another, more malicious plugin *could* easily do just that.

  14. Filippo Silver badge

    Easy fix: logout from Facebook, clear cache & cookies, never login to Facebook again.

  15. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Heineken…

      The invisible links to FB in the email HTML are probably responsible for that.

      There are two solutions

      1) Don't click on the link then you won't know that you are already logged in

      2) start blocking all access to FB. Delete your account and tell all your email contacts that you are not on FB for security reasons and that they should stop sending you FB links.

      Then get on with life and erase FB from your consciousness.

      I blocked FB, WhatsApp, Twitter etc years ago. Simply doing that removes a huge great amount of stress in your life. Deciding that you simply don't care who says what about someone else is the first step in getting yourself off the drug that is Social media.

      1. Charles 9 Silver badge

        Re: Heineken…

        And if it's the ONLY contact you have with your family (because there's no "Internet" there, just Facebook)? For some. It's basically a decision to get disowned...

        1. Filippo Silver badge

          Re: Heineken…

          If someone in my family would rather not contact me at all, than make the effort required to e.g. write an email or pick up the phone, I would argue that our relationship has bigger problems than Facebook.

          1. Charles 9 Silver badge

            Re: Heineken…

            Unless they have no e-mail to speak of and are international, meaning the phone rates are atrocious and the post takes forever.

  16. Anonymous Coward
    Anonymous Coward

    Find a cross-road

    Dig a pit

    Bury Facebook

    Put a whopping huge stake through it as well

  17. Anonymous Coward
    Anonymous Coward

    No problem

    Nick Clegg will fix it

  18. Anonymous Coward
    Anonymous Coward

    Risk? (and quiet rueful aside) opportunity?

    “ Though Facebook vowed to put in place measures to prevent another Cambridge Analytica fiasco, the Creators Studio access tokens in the hands of a malicious and widely installed Chrome extension could lead to a repeat of history.”

    Or… “nuts! another lost opportunity thanks to some paranoid meta developer” who blew the cover story.

  19. Cincinnataroo

    Users more control?

    Maybe the users of Facebook need more control. Ways to automate for themselves.

    Cut out these middlemen, some of whom are proven hostile.

    1. Charles 9 Silver badge

      Re: Users more control?

      No time. Gotta rush, rush, rush working 28 hours a day, 8 days a week for Da Man or starve...

      At least, until the capital holders find a way to make most labor obsolete. Then what? Send in the Terminators...?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022