14 comments

[ 3.2 ms ] story [ 39.9 ms ] thread
I don't think I've worked on an app where at least some people inside the company couldn't log into anyone else's account. It's useful for debugging, and when you're developing the app, you need a way to switch users pretty frequently.
This seems pretty obvious. Someone has to have access to keep the thing running. I don't really get the point of this article.
They probably have some auditing in place, but impersonation capability is fairly common practice.
I worked on a local social network for a while and it also worked like this, even more blatantly (we had a built-in function that made us see the profile of an user exactly the way they saw it, to check bug reports and such). There were some not very nice consequences; I remember a case where a few guys gathered around a computer when someone was looking at a hot girl's private photos (there was nothing revealing, just close pictures and such). EDIT: someone has mentioned auditing; I remember that yes, we audited who did what.

Frankly, I thought everyone assumed that this worked as that, at least in the technical circles.

This should never be surprising. You must always assume that if your content is stored in the clear on a third party's resources, someone can and will poke through it.

I remember some of the high level Myspace employees bragging about how they would thumb through private messages when they were bored. And early day IRC mods saying the same. And dialup BBS admins. My mom opened my mail when I was a kid.

The amount of deeply intimate information that people transmit on Facebook makes me shudder.

TIL the company that owns the servers, code and database can actually access them whenever they want.
It should be pointed out that Facebook employees probably don't have access to your actual unencrypted password.
(comment deleted)
Well, of course they do. But they also have extremely strict rules about when you can access what user data and why. Employees can and do get fired for minor infractions of those rules.

Clickbait article?

Yep, this isn't news at all, I remember reading an interview with an employee which they stated that every account access was logged and anyone that was found accessing information for non-valid reasons would be fired (I can't remember if they also pressed charges).
(comment deleted)
This is not surprising at all. "sudo"-ing as other users is extremely useful for debugging.
Google employees can access your account, passwords not needed.

Microsoft employees can. Apple's can. And all others can.

Such employess we call “admins”.

These same people are writing the code that fetches user data from the databases, renders it, handles events and so forth.

Trusting those people with access to user data doesn't seem like a huge stretch.

My experience from being heavily isolated from live data at Microsoft was that we were slow to respond to customer issues. We didn't touch people; we had to have special permission to get blinded historical data, much less anything live. Yet I was at least partially responsible for writing the systems that kept PII private.

It's easy to freak out about stuff you don't understand.