Why the Facebook contact uploader vulnerability and subsequent hackbreachleak matters. Phone numbers are the ideal attack surface to force multiply other vulnerabilities. Facebook exposed non-public information and needs to answer for it.
As I learned from today’s Spaces call:
—FB’s contact sync was vulnerable to a malicious attacker who could enumerate phone numbers to harvest FB IDs. This revealed non-public information
—attacker then scraped accounts by FB ID
—API limits woefully inadequate/trivial to cheat
—botnets would enable easy circumvention of throttling of lookups per user per session
—Facebook silently changing user prefs made it confounding to know how your phone number was used; default settings put risks on users
—expect probe of who knew what when as FB deflects & spins
I didn’t catch the whole Spaces session so I look forward to learning about the other big points I missed.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with David Carroll

David Carroll Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @profcarroll

7 Apr
Wow. @ashk4n reveals that his 2FA phone number which was different from the phone number he associated to his account was leaked in the contact sync vulnerability. Private information was most certainly breached. Facebook must be pushed on its subterfuge, when it knew what when.
Wow. @intdc explains how Facebook silently changing its confusing privacy settings set the stage for this catastrophic leak by making it too difficult to realize the difference between the visibility of your phone number vs. lookup by phone number. Cambridge Analytica déjà vu.
Read 7 tweets
5 Apr
You can now check @haveibeenpwned to see if your Facebook account data is among the half-billion leaked and circulating. You know that breach that Facebook insists has no responsibility for because it’s an “old” breach. haveibeenpwned.com
FWIW I deactivated my Facebook in 2018 so it was protected from the breach. The only safe account is an inert or deleted account.
CAVEAT: @haveibeenpwned only checks if your email is in leaked data. Most of the Facebook records are uniquely identifiable by phone number, not emails. So unless someone else builds a phone query tool or Facebook notifies folks… ¯\_(ツ)_/¯
Read 4 tweets
30 Mar
Proactively managing one’s own health data strikes me as an act of personal interest and liberty. Likewise, private interests are at liberty to impose requirements upon customers as terms and conditions of service. The problem is we don’t enjoy fundamental #DataRights in the USA.
In other words, we might find a digital vaccine record more acceptable if all data collecting entities were legally bound to disclose our data, its processing, sharing, and provide unobstructed revocation of consent. Exists in the EU. Not in the USA. #DataRights
So until the USA establishes fundamental #DataRights similar to the EU, CA, VA, etc., paper vaccine records could minimize digital monetization at least, and help maintain the minimal protections afforded by HIPAA. Without any safeguards tho, concerns of eventual abuse are real.
Read 5 tweets
16 Mar
an NFT of a blueprint by a famous architect becoming more valuable than the real estate it planned, still standing today, preserved and insured by its owners, a magical beautifully designed house that you can actually live in
the next occupy wall st will be a revolt on NFTs that have caused a collapse having too many blueprints refinancialized into NFT default swaps and corresponding collateralized debt obligations re-mark to marketed into new tokens with ever more exotic gas fees
you could maybe finance your next house on the inevitable NFT blueprint market and so then you can obviously afford to import tulips for your requisite landscaping it would be so perfect and poetic
Read 6 tweets
6 Mar
Softblocking is the most important twitter skill no one ever taught you.
Block and then undo the block in the few seconds you’re offered. You’ve just managed to make the offender unfollow you and they have to be very smart and conscientious to notice they have unfollowed you. Most will never realize they lost you as a trigger for their snowflakery.
I don’t block unless you’re an obvious fascist or ultra nationalist and then you should eat a bag of dicks and no you cannot enjoy my tweets for free you scum
Read 4 tweets
6 Mar
are there tokens that monetize the rescuing of life on earth from extinction cuz i might buy those or nah because capitalism can’t do that
lifetoken: the ultimate store of value; completely biologically automated with no human-intervention, driven by genetic bio mechanics, achieves maximum growth efficiency with natural algorithms based on fibonacci’s sequence; not only carbon neutral, but massively carbon negative
⬆️this is just genesis from the bible and and watson & crick, miesher translated into cryptobranding btw i’m just spitballing here
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!