The Giant Security Hole That Facebook Doesn't Care About

By Sam Biddle on at

You probably assume hackers are using all sorts of devious viruses, obscure scripts, "exploits" (whatever that means, right?) and other complex means to break into accounts. But often the means of entry are stupid simple. Facebook has a huge one—and doesn't care about fixing it.

There's a basic premise here that isn't a Facebook problem, but really an internet problem: it's super easy to reset someone's password. The web is an ornate, lumbering thing built on tiny little stilt legs, its foundation unfit for what came after it. It's complex stuff standing on simpler stuff. New on old. And often the old can't cut it: just ask Giz alum Mat Honan, whose online life was savaged because of the stupid-simple processes standing between assholes and us online. You don't need to be a hacker—you can just talk your way in:

  • Step one: Say you've forgotten your password.
  • Step two: Say you've forgotten your email address.
  • Step three: Use a security question or customer service rep to change over to a new email address—one you control.
  • Step four: Send a new password of your choosing to that new email address.
  • Step five: Log in.

This is the same lazy, methodical trick that hit Honan, breached @BurgerKing, and this past weekend, tried to crack my Facebook account. Again, and again, and again, because Facebook makes it so easy.

The crux of the problem is impossibly stupid: Facebook won't let you change your security question. The street you grew up on, the name of your first cat, your college mascot—these bits of dumb personal trivia are all it takes to claim complete control of someone else's Facebook account. You probably forgot the day you even entered yours. Luckily, it's so obvious, you'll never forget it. That's the simultaneous beauty and stupidity of the security question: eternally memorable.

But hey, what if someone happens to guess this extremely guessable piece of information about you, based on readily Google and Facebook-available details? What if they use the answer to this question to repeatedly attempt to break into your account—perhaps successfully? Shouldn't you be able to change that question to something that isn't already known by someone with clearly nefarious intentions?

You'd think so, and you'd be wrong. There's no way to manually switch your security question to something new if you're worried someone might have the answer. Or just to switch it up for the sake of switching it up, as we do with passwords. Facebook simply won't let you.

The Giant Security Hole That Facebook Doesn't Care About

It's a task to even find the place where your security question even exists: I had to google "facebook security question," which pointed me to a variety of FB help FAQs. One of them finally had a link to this page, where you can "improve the overall security of your account by updating your security information." Except for your security question, which cannot be updated. You can read it and click on it, futilely, but it's immutable. There's even a cutesy little lock icon next to it.

I assumed this had to be some kind of bug, or oversight; if we can change every other security route into our Facebook account—email, phone number, password—why not the security question? Nope. It's meant to be this way.

A Facebook rep told me "the rationale [is] security questions are used when a person forgets their password. If you could change a security question in an account compromise situation it would be worthless as the attacker could lock the real account holder out of their account."

Well, fine. That sort of makes sense—you wouldn't want a bad guy to just set the security question to whatever he wants and then answer it. But in cases where the bad guy already has the answer, you should be able to pick a new question. This is like replacing the locks on your house when you know the robber already has the keys. Common sense. But with Facebook, impossible.

As a result, I repeatedly received email warnings that someone was, again and again, trying to hijack my account via security question. And I was helpless. The only recourse is to go through Facebook's MY ACCOUNT IS BEING HACKED panic mode and manually change your password, review nearly every detail of your account, and... hope it doesn't happen again. You're powerless. You can't replace your lock. Lucky for me, I have Facebook's 2-factor authorization, which sends a login code to your phone, switched on. This is another security feature buried so deep that most people likely don't know it's an option. Most people likely wouldn't be so lucky in the event of an attack.

In this case, your only hope is that Facebook, in the midst of one of these emergency "I'm being hacked" processes, will give you the chance to change your security question. This happened to me after foiling several hacking attempts that cropped up out of nowhere. The same Facebook rep told me that "in the vast majority of cases we will let people change their [security] questions" when responding to a hack attempt. I was only given the chance after a handful of attempts—certainly not the vast majority.

That seemed to deter the anonymous jerkoff who wanted to meddle with my valuable Likes and Friend Requests. But what if you're not someone who compulsively checks your phone, like I do? What if I had been in an airplane? Or asleep? What if I hadn't been able to immediately respond to break-in attempts enough times that Facebook finally, crucially allowed me to change my security question?

My Facebook account wouldn't be mine anymore. And that's just the way it is, the rep told me. This is the best system the company, which holds the virtual lives of one billion human beings around the globe, can muster. "The fallback would be proving your identity via a government ID," the spokesperson said. I'm no programmer, but I have a feeling there's plenty of space between Facebook locking me out of my own security question, this gaping hole in its walls, and being forced to fax in my passport.