> The first bug was that, when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all. But in a very specific case, on certain types of posts that are encouraging people to post happy birthday greetings, it did show up.
> The second bug was that this video uploader incorrectly used the single signon functionally, and it generated an access token that had the permissions of the Facebook mobile app. And that’s not the way the single sign-on functionality is intended to be used.
> The third bug was that, when the video uploader showed up as part of View As -- which it wouldn’t do were it not for that first bug -- and it generated an access token which is -- again, wouldn’t do, except for that second bug -- it generated the access token, not for you as the viewer, but for the user that you are looking up.
> It’s the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers. Those attackers then, in order to run this attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot on that access token to other accounts and then look up other users in order to get further access tokens. This is the vulnerability that, yesterday, on Thursday, we fixed that, and we’re resetting all of those access tokens to protect security of people’s accounts so that those access tokens that may have been taken are not usable anymore. This is what is also causing people to be logged out of Facebook to protect their accounts.
[1] https://fbnewsroomus.files.wordpress.com/2018/09/9-28-press-...
Set your preferences to show posts of your native language only, start poking around the timelines, and follow people who post something interesting. Follow, boost, reply, it only takes a few days before you have plenty of interesting content in your feed.
There's zero chance on Mastodon that you'll get caught up in a gigantic data breach like this. Probably less chance you get caught up in any kind of breach -- it's too obscure to be a target, plus the code is open source so many eyes on it, etc.
And you'll enjoy these guaranteed benefits, as well:
- No longer subject to the most sophisticated data vacuuming adtech in the world
- If you get bored/annoyed you can just take a break from Mastodon because it doesn't own your life the way Facebook tries to
Security through obscurity...
Open source != secure. I can guarantee that a hell of a lot more folks with a lot of security expertise have combed through the fb codebase than Mastodon.
...is not a solution by itself but is a perfectly valid part of a defense in depth strategy, for example running SSH on a port other than the default is a common and good practice.
> I can guarantee that a hell of a lot more folks with a lot of security expertise have combed through the fb codebase than Mastodon.
This is the same argument Microsoft always made in defense of Windows security back in the XP era. "We hire the best experts in the world so Windows must be fantastically secure." And Windows security turned out to be a train wreck. Now in Microsoft's defense it has improved considerably over the years, but Windows desktops still get owned far more often than Linux desktops do, for a reason that would probably apply to Mastodon today as well: not that many people use it, so it is not nearly as common a target for exploits.
I don't think I deserved downvotes for making these points btw, that button is way overused on HN.
This really depends on what kind of target you are. Are you a random person on the internet? Then making yourself a smaller target by using obscure services might help. Are you someone with sufficient value for a spear phishing attack? Not so much. “Sufficient value” might just be “you slighted the wrong person on the internet.”
There’s also a lot of trade offs involved, some of them less than obvious. For example mastodon servers may be run by a person/team who’s trustworthiness rating is harder to evaluate Tran facebooks. The server you’re on might by run by well-meaning but incompetent people. The server you’re on might have one participant that is a target of sufficient value for spear phishing and your data might be taken and leaked just to obscure the real target.