I don't think I've worked on an app where at least some people inside the company couldn't log into anyone else's account. It's useful for debugging, and when you're developing the app, you need a way to switch users pretty frequently.
I worked on a local social network for a while and it also worked like this, even more blatantly (we had a built-in function that made us see the profile of an user exactly the way they saw it, to check bug reports and such). There were some not very nice consequences; I remember a case where a few guys gathered around a computer when someone was looking at a hot girl's private photos (there was nothing revealing, just close pictures and such). EDIT: someone has mentioned auditing; I remember that yes, we audited who did what.
Frankly, I thought everyone assumed that this worked as that, at least in the technical circles.
This should never be surprising. You must always assume that if your content is stored in the clear on a third party's resources, someone can and will poke through it.
I remember some of the high level Myspace employees bragging about how they would thumb through private messages when they were bored. And early day IRC mods saying the same. And dialup BBS admins. My mom opened my mail when I was a kid.
The amount of deeply intimate information that people transmit on Facebook makes me shudder.
Well, of course they do. But they also have extremely strict rules about when you can access what user data and why. Employees can and do get fired for minor infractions of those rules.
Yep, this isn't news at all, I remember reading an interview with an employee which they stated that every account access was logged and anyone that was found accessing information for non-valid reasons would be fired (I can't remember if they also pressed charges).
These same people are writing the code that fetches user data from the databases, renders it, handles events and so forth.
Trusting those people with access to user data doesn't seem like a huge stretch.
My experience from being heavily isolated from live data at Microsoft was that we were slow to respond to customer issues. We didn't touch people; we had to have special permission to get blinded historical data, much less anything live. Yet I was at least partially responsible for writing the systems that kept PII private.
It's easy to freak out about stuff you don't understand.
14 comments
[ 3.2 ms ] story [ 39.9 ms ] threadFrankly, I thought everyone assumed that this worked as that, at least in the technical circles.
I remember some of the high level Myspace employees bragging about how they would thumb through private messages when they were bored. And early day IRC mods saying the same. And dialup BBS admins. My mom opened my mail when I was a kid.
The amount of deeply intimate information that people transmit on Facebook makes me shudder.
Clickbait article?
Microsoft employees can. Apple's can. And all others can.
Such employess we call “admins”.
Trusting those people with access to user data doesn't seem like a huge stretch.
My experience from being heavily isolated from live data at Microsoft was that we were slow to respond to customer issues. We didn't touch people; we had to have special permission to get blinded historical data, much less anything live. Yet I was at least partially responsible for writing the systems that kept PII private.
It's easy to freak out about stuff you don't understand.