Was Chuck Norris able to access any Facebook account, without having your password?

Chuck NorrisAs every internet nerd knows, there is no end to Chuck Norris's awesomeness.

But did you know that he was once reportedly able to unlock any Facebook user's account?

I was reminded of this claim when reading last week a Facebook post by record label director Paavo Siljamäki, about his recent experience when visiting Facebook's offices.

facebook-post

Today's thought provoking story;
Popped to Facebook offices in LA, the nice people there were giving us good advice on how to use Facebook better. I was then asked if i'm ok for them to look at my profile, i said 'sure'. A Facebook engineer can then log in directly as me on Facebook seeing all my private content without asking me for the password.
Just made me wonder how many of Facebook's staff have this kind of 'master' access to anyone's account? What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).

In other words, Siljamäki says he was asked by a Facebook staffer if it was alright to access his account, and Siljamäki gave his permission.

Perhaps understandably, Facebook was keen to reassure users about the practice, and issued the following statement to VentureBeat:

We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.

Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.

We have a zero tolerance approach to abuse, and improper behavior results in termination.

It doesn't explain, of course, why a message couldn't be sent to the Facebook user saying that the support team has accessed their account. That might also help to prevent abuse by a rogue member of Facebook's team.

But it's good to hear that Facebook appears to take unauthorised access of users' accounts very seriously.

Because that wasn't always reportedly the case...

Back in 2010, The Rumpus published an interview with an anonymous Facebook employee claiming that there had been a master password that could allow Facebook employees to log into any user's profile. And the password could have been "Chu[k N0rr15":

Part of Rumpus interview

Rumpus: You've previously mentioned a master password, which you no longer use.

Employee: I'm not sure when exactly it was deprecated, but we did have a master password at one point where you could type in any user's user ID, and then the password. I'm not going to give you the exact password, but with upper case and lower case, symbols, numbers, all of the above, it spelled out 'Chuck Norris,' more of less, It was pretty fantastic.

Rumpus: This was accessible by any Facebook employee?

Employee: Technically, yes. But it was pretty much limited to the original engineers, who were basically the only people who knew about it. It wasn't as if random people in Human Resources were using this password to log into profiles. It was made and designed for engineering reasons. But it was there, and any employee could find it if they knew where to look.

I should say that it was only available internally. If I were to login from a high school or library, I couldn't use it. You had to be in the Facebook office, using the Facebook ISP.

Rumpus: Do you think Facebook employees ever abused the privilege of having universal access?

Employee: I know it has happened in the past, because at least two people have been fired for it that I know of.

Rumpus: What did they do?

Employee: I know one of them went in and manipulated some other person's data, changed their religious views or something like that. I don't remember exactly what it was, but he got reported, got found out, got fired.

Now, there are some who question the veracity of the interview (for instance, its author Phil Wong has never contributed any other articles to The Rumpus before or since), so it's worth taking some of this with a pinch of salt.

Let's hope - true or not - that even Chuck Norris can't get into users' Facebook accounts now, and access is tightly controlled inside Facebook HQ.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

(Visited 561 times, 1 visits today)

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

One Response

  1. Coyote

    March 2, 2015 at 2:08 pm #

    Shared, unrestricted root access, essentially. Nice… One hopes that is not really how it was. But given their privacy record one wonders (but I admit if I were to judge them it would be biased so I can't say too much there, at least if I am to be fair [apparently I'm a bard of some sort, today]).

    But I want to go further here: those with enough server access (and one hopes that the database passwords are not at all used elsewhere) would likely be able to view all this, anyway. Therein lies the problem (a problem that is depending on circumstances also necessary): administrators can see more (and this is a necessary evil I'm afraid[1]). As for Norris. Well yes, given that he has been assigned pretty much every ability… I suppose it is fitting (though not for a password).

    [1]But reading personal stuff is another issue entirely (even if storing something on a machine that isn't yours is rather asking for it, one would still like to believe that administrators were ethical here). However, not monitoring users (on a server) for suspicious activity is asking for trouble, too.

Leave a Reply