The exploit funded by Facebook allowed FBI agents to identify the user's real IP address, which then allowed them to identify Brian Kil as Hernandez. Technically speaking, this hack could have been used against activists and other sensitive people by law enforcement or authoritarian governments. Motherboard reported that Facebook did not inform Tails of the exploit, and decided it was OK to use it because Tails was incidentally patching out the exploit as part of an unrelated update.But Tails developers, as well as privacy and security experts, agree that, update or not, Facebook should have alerted Tails once the FBI operation was over. Three years later, that has not happened yet, and the Tails developers, as well as the makers of the popular media player, called GNOME Videos, said they found out about all this through Motherboard’s article.
“They should have been notified.”
The developers of the targeted video player said they haven’t heard from anybody either.“GNOME was not previously aware of this story, and is not able to guess which vulnerability might have been exploited,” a spokesperson for the GNOME Project, the developers of a free and open source desktop environment and the GNOME Videos player, which are both included in several Linux distributions such as Ubuntu, told Motherboard in an email.The GNOME spokesperson said that they appreciated Facebook planning to report the vulnerability before discovering it was apparently already fixed, but many people who use their software may still be running an unpatched version. That’s why they expect the FBI or Facebook to contact them to make sure they can alert all users.
Do you work or did you use to work at Facebook? Do you work for the FBI or develop hacking tools for law enforcement? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
“The fact that Facebook or any private company would think they had the right to commission the creation of malware against another software entity is so incredibly arrogant,” said Katie Mossouris, who used to lead the vulnerability research teams at Microsoft and Symantec and is one of the world’s most well-known experts on coordinated disclosure. “Security professionals worth their salt are worried about governments not making the right call when it comes to making decisions in the Vulnerability Equities Process, and we’re all supposed to be fine with that kind of decision resting in Facebook’s hands?”According to Moussouris, what Facebook did in this case “is more evidence that Facebook is out of control at best and is making the world less safe for people who need anonymity to survive.”Moussouris used the facepalm emoji when describing how she felt when she read the Motherboard story that revealed Facebook’s role in the hacking of Hernandez.“I didn’t think a vulnerability disclosure story could possibly horrify me after all these years, but here we are,” she said in an online chat.
”Facebook is out of control at best and is making the world less safe for people who need anonymity to survive.”