Shostack + Friends Blog Archive

 

Logging practices

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, but I was curious about the form of this alleged hacking.

My curiosity was rewarded:

“he allegedly examined a report of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com.

In the instances where they had, Business Insider claimed that Zuckerberg said he tried using those incorrect passwords to access the Crimson members’ Harvard email accounts.”

dailymail.co.uk, 2010-03-06

So, it looks like the allegation is that actual passwords entered for failed logins were routinely logged.

Yuck.

2 comments on "Logging practices"

  • Rick says:

    I can think of a situation where this happens regularly, though not quite in the fashion described. Quite often in the usinx syslog you will find a message saying login failed for some cryptic garbage which is nothing like an account name – this will often be a password when the user has got too far ahead of themselves.

  • Chris says:

    Rick:

    Correct. However, I would hope that those entries would go to a log file which only root can read. I certainly agree that this kind of logging, where the system merely records the proffered username, is very different from a (very poorly-designed, IMO) system in which the designer purposely logs both username and password.

Comments are closed.