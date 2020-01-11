Loading...

Facebook pages give public figures, companies and other entities a presence on Facebook that is not linked to an individual profile. The accounts behind those pages are anonymous unless a page owner chooses to make the administrators public. For example, you cannot see the names of people who post on Facebook on behalf of WIRED. But a bug that was live from Thursday evening to Friday morning enabled everyone to easily reveal the accounts with a page, which would essentially spoil anyone who posted on a page.

All software has flaws, and Facebook has quickly resolved a solution to this – but not before the word appeared on message boards such as 4chan, where people posted screenshots that connected the accounts behind prominent pages. The only thing needed to abuse the bug was opening a target page and checking the editing history of a message. Facebook has incorrectly displayed the account or accounts that have made changes to each post, rather than just the edits themselves.

“We quickly resolved an issue where someone could see who edited or published a post on a page when looking at the edit history,” Facebook said in a statement. “We are grateful to the security investigator who pointed us to this issue.”

Facebook says the bug was the result of a code update that was pushed Thursday night. It is not something that most people would have encountered themselves, because navigating to a page, viewing an edit history, and realizing that no name and profile photo would have to be assigned to edits to exploit it. Despite the Friday morning fix, screen shots circulated on 4chan, Imgur and social media that seemed to show the accounts behind the official Facebook pages of the pseudonymous artist Banksy, Russian President Vladimir Putin, former US Secretary of State Hillary Clinton, the Canadian Prime Minister Justin Trudeau, the hack collective Anonymous, climate activist Greta Thunberg and rapper Snoop Dogg, among others.

Facebook points out that no information was available outside of a name and a public profile link, but that that information should not appear in the editing history at all. And for people, let’s say, run anti-regime Pages under a repressive government, even publishing so much information is alarming.

“For sensitive pages, I don’t exclude that some people feel they are in danger because of what happened today,” says Lukasz Olejnik, an independent privacy adviser and research assistant at the Center for Technology and Global Affairs at Oxford University. “Using fake accounts to run Pages would have been a good idea. Some might see it as a paranoid way of hiding, but it isn’t.”

After a series of privacy and security personnel, Facebook has focused on building up its protections and steadily expanding its bug bounty, encouraging researchers – such as the person who found the bug in the edit history – to submit security errors for potential rewards. Ambitious improvements such as these take time – and no amount of extra security can change the fundamental risks associated with storing the data of 2.5 billion people.

“People who export sensitive pages from their own Facebook should now consider that their identity may be known,” says Olejnik. “Although errors happen, it is unexpected.”

