Breach: Facebook Exposes Personal Photos

Facebook disclosed a new breach today which (according to their disclosure) “may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers.” It’s unclear how many European users were affected, but this is a clear GDPR violation even when we don’t consider the potential embarrassment of personal photos being presented to the wrong people.

While Facebook hasn’t made it entirely clear how this happened, the main thing to keep in mind is how this underscores the complexity of the API-driven microservice world. According to Facebook, this breach was limited to apps that had authorized access to a specific photo API, which is separate from the general newsfeed API. This implies that the photo service has different permissions than the newsfeed service, even though they are accessing the same data.

Most security models stop traffic at some sort of an API gateway, sort of like a border crossing where you show your passport, and they check a computer for criminal records or other reasons to keep you out. Once you’re in, the service itself usually trusts that all the security checks were done at the border (or the Edge, as we say in the API security world).

This breach illustrates the folly of that kind of architecture. Personal photos should not be exposed to anyone other than the person. The combination of User+Service should be a specific key, but we need to get even more granular with User+Service+Datapoint, so that Me+Photos+20181213-img.png can’t be accessed with a key that represents You+Photos+20181213-img.png.

That border check is still really important, but just as you lock the door to your house, an app that gets into the data center shouldn’t be able to accidentally wander into the wrong place because it wasn’t locked down.

Cloudentity has a combination of tools, from a MicroPerimeter™ Gateway that exists on the Edge to a MicroPerimeter™ Sidecar that is like a home security system for the service. Then you can add the Permission Service, which lets you add even one more layers to associate things like the user to the object — in this case, a personal photo.

At the end of the day, Facebook is going to face fines, dropping stock prices (again), and a continued exodus of users. Only a combination of Users, Services, Things, and granular permissions can stop the ongoing series of breaches.