DEV Community

Daniel Molnar
Daniel Molnar

Posted on • Updated on

Facebook's plain password storage - how was this possible?

"Facebook admits it stored 'hundreds of millions' of account passwords in plaintext" - says the article on Techcrunch. But how could be this possible, when even a junior developer knows that you have to encrypt the passwords in your database?

I have two ideas, but maybe there could be many more possible cases.

1) Facebook stored the passwords encrypted, but used an algorithm that can be decrypted.

2) When a user clicked on login (or possibly during the registration), before checking the password with the database, they sent it to an other service in plain, that stored it.

What do you think? This issue is too huge to be a simple mistake and must have happened for a reason.

Top comments (4)

Collapse
 
rhymes profile image
rhymes • Edited

According to the discussion on HN they were logging the full auth request, password included

Collapse
 
n0idea profile image
n0idea

Some rumors also state that these data were "queryable" by many Facebook employees. This sounds literally absurd.

Collapse
 
rhymes profile image
rhymes

Yeah, it was "queryable" because the data leaked in the logs and usually logs are accessible through some centralized tool like Splunk probably.

And I bet there's no way to know if any of those employees accessed any of the users accounts using those passwords :(

I hope there will be a day when the US government will advance regulation for tech companies to really protect user's privacy but I'm not optimistic hehe

Collapse
 
danehrlich1 profile image
Dan E

Almost no one does masking or protecting of their log files data (but they should). Another thing no one does is escape their logging data. So it’s very easy to say pass Linux commands to a website via a form that you know are going to be logged, and by logging that data the server can inadvertently trigger executable remote code...which pretty much means they are pwned.