Not long after Twitter was chastised for overstating its security measures and letting many high profile accounts get hacked, Facebook decided to make sure that it couldn’t suffer the same fate. A challenge was issued across the land (to a specific group of employees). They were to do everything they could to try to hack into the Facebook administration functions. Specifically, one engineer Pedram Keyani was behind the challenge, and the task assigned was specifically to get into the administration functions through his personal Facebook account.
After a couple weeks, the team of employees had, indeed, hacked into his personal Facebook account. By hacking his home network with a rogue WiFi SSID, the team was able to get several of his usernames and passwords. It’s impressive that they were able to hack into the account of a site engineer who not only knew it was coming, but arranged for its coming.
But as bad as that sounds, it really isn’t. Because while the employees-turned-hackers were able to get into Keyani’s personal account, they were not able to access the administration functions of the site, which was the real goal of the exercise. In the comments of TechCrunch‘s story — which initially spun the hack as more of a straight-up success — Keyani responded. The response included this clarification:
In this particular case, the challenge demonstrated the effectiveness of Facebook’s security systems, not the opposite, Despite months of work and hundreds of hours of effort by a team of specialized security engineers, the team was NOT able to access Facebook’s administrative or corporate systems. While they were able to access my personal Facebook account, they were not able to use this information to access any other account on Facebook.
This is actually pretty impressive for Facebook, but one question is still unanswered. Did Keyani take efforts during this time, aware of the benign hackers constantly trying to get into the administrative system, to avoid any activity that could expose his passwords or method of access therein? It seems that his Facebook account could be accessed because he logged onto that account during that time. It’s not clear whether the hacking team ever had the opportunity to witness him access potentially dangerous functions.
This challenge seems like it was productive, and it was probably even fun. But it’s not a full test until they attack someone unsuspecting. Maybe Facebook should hack Mark Zuckerberg himself. But whatever you do, don’t tell him or write about it on the Internet.
Have a tip we should know? email@example.com