Backblaze submitting names and sizes of files in B2 buckets to Facebook

> Don't they have any sort of vulnerability assessment or security code review?

I haven’t seen any evidence that they do. The last time I brought up their history of bad security practices on HN, one of their co-founders decided that the correct course of action was to come on here, accuse me of being a bad actor, and repeatedly make up quotes I didn’t say.[0] All because I tried to warn others in the community that something just like this was likely to happen again. And now it has. So, you know.

[0] https://news.ycombinator.com/item?id=25919105

> Don't they have any sort of vulnerability assessment or security code review?

I bet people just don't realize that the frontend code could end up being a source of major data confidentiality vulnerability. The threat modeling, auditing etc. usually just concentrates on attack scenarios involving the backend to save money and keep frontend development a bit lighter on the security review process side.

Does not make it excusable of course, just means their threat modeling was inadequate. But probably explains how this was able to sip into production.

> I considered using backblaze a couple of times and now I'm very happy that I eventually didn't.

Same. I ended up going with spideroak because it was too hard to figure out what other providers were even promising for privacy, and it’s been fine. I’m thinking maybe of trying rsync.net with duplicity one day

> Because otherwise how do you know when they suddenly change their script to do something entirely different?

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

Why would you allow third party scripts to be updated by anyone but you?

This trend of dynamically linking to other people's shit needs to stop.

> Because otherwise how do you know when they suddenly change their script to do something entirely different?

Even though it's inconvenient maybe we should treat it as just another 3rd party dependency that needs to be downloaded, screened, and then used from the internal store. Pretty dangerous to dynamically load a script from a site like facebook.com.

>Because otherwise how do you know when they suddenly change their script to do something entirely different?

(a) Sandbox it.

(b) Have them sign a contract they won't do so but only do these N things, and if change those without telling you, sue them.

Why does Backblaze even need Facebook integration anyway? That seems absurd to me.

The FB pixel is how FB gets to know about conversions. If your company runs FB adds, FB encourages you to let them know about which users converted to paying customers so it can improve the targeting of your ad campaign. And if you offer a free trial and the upgrade to paying customer happens inside the user dashboard, presto-bingo Marketing now needs you to install the FB pixel there.

It's disappointing that this is what the internet has become, and I'm happy to see issues like this brought forward. I can see value in feeding back conversion events to an ad network, but the "just let us run code on your page" style of integration needs to stop. Give developers some API to explicitly send such an event, if they really need to.

I don't necessarily disagree with you, and whether a pixel should be there at all is definitely a discussion in itself.

But for those who are implementing FB Pixels, I wanted to put out some potentially useful information that can help protect against unintended data disclosure, after mentioning the auto-listener behavior in a reply to another comment and being met with surprise[1].

[1] https://news.ycombinator.com/item?id=26537078

Exactly. When the most important thing for a backup provider is the trust people put in you, don't do anything that risks that trust.

Edit: my biases against Facebook keep me from making cogent points.

Why is that? Perhaps they get business value out of it?

Virtually all tracking boils down to 1x1 sized images getting embedded on the page, with various metadata being attached in that image call. The javascript libraries may include other functionality (like additional fingerprinting and such), but are primarily just convenient abstractions that generate and embed the the tracking images for you. Most provide the details needed[1] to build your own generator function, which would allow you to integrate the tracking you want while reducing your security exposure to third party code.

As for GTM – a deployed container is self-contained. If you don't want to expose your site to third party code, but want to use GTM as a convenient control plane for configuration of tags and tagging rules, you can do that. Instead of using the standard snippet that loads the container from Google, you can just grab the generated javascript file for the container after a new deploy and self-host it. It gives you the convenience of GTM (central control plane for tagging-related stuff, versioning and commenting, etc) but without the security exposure of embedding externally hosted scripts.

[1] https://developers.facebook.com/docs/facebook-pixel/advanced...

As a first-party site owner, subresource integrity checks[0] (that someone else already linked elsewhere in this thread) lets you at least determine, at the browser request level, if a third-party script has changed since you installed (and hopefully audited) it.

0: https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

For various reasons including this, advertising tracking is moving server-side, where the company can much more tightly control what gets sent to the vendors, and where third party JavaScript no longer has access to the DOM, network requests, or cookies.

CORS is about safely allowing two cooperating, different origins to communicate. In this case, Facebook and the host are cooperating.

Even just using an ad-blocker will prevent this: https://github.com/gorhill/uBlock

I'm speaking from the perspective of a site, like Backblaze, where web app and the site fulfill two separate functions. There are lots of cool metrics that marketing wants; any code they put into www.backblaze.com is pretty low cost, and usually done by a separate team than product.

The product site itself (usually app.example.com, but Backblaze seems to use secure.backblaze.com) actually contains customer data in the browser context, is under much higher base resource loads from its core functionality, and is used repeatedly in workflows where poor performance is painful to the user.

No one gives a shit if your pricing page takes 500ms to load instead of 100ms, or if a dozen social media companies who already know where you work learn what kinds of professional products you're looking for.

They do care if a file listing takes longer, a recipe opens slower, if word frequencies in confidential data are leaked to the world.

In most paid products, the non-paid part of a site has radically different performance and security requirements from the paid part, and forcing one to be built to the requirements of the other (in either direction) is wasteful, or dangerous, or both.

> Most of the time, they do things because other people do things, but don't truly understand what the true ramifications are

To be fair, it's just as true for developers as it is for the marketing guys

I’m a marketer, can’t argue with the above.

As long as they don't have the car keys, they can go knock themselves out.

Re: the more substantive legal points - there are off-the-shelf solutions (CMPs, for example) and easy checklists for complying in the setting of a static public-facing website. The web designers and brand managers I've worked with are more than capable of meeting clear industry standards.

It's inside a web app, where customer data is on the page and in JS scopes, where the product team is essential in safeguarding customer data.

Which is why it has to be a two way street - when it comes to the product, specifically its security and performance, engineering needs to absolutely own the thing.

In a static website, where there are standard tools and checklists and web designers to walk them through it, marketing's lack of technical understanding is less of an issue. And in a B2B web app like Backblaze's and my own, the data exposed to the public web site is just not all that sensitive.

And I'm not talking as a prospective employee who "just wants to be a cog in the machine"; I'm talking as a founder and CTO who sets company goals. I'm worried about data leaks caused by poor implementation and short-sightedness, not those caused by company policy that I disagree with. If I disagree with company policy, I change it.

sisters_graduation_2019.jpg

Rebecca_Range_will_and_final_testament.pdf

NadyaNayme - Resume - [Company Name].pdf

divorce_process.pdf

steps-to-take-after-a-car-accident.pdf

personal_injury_michael_perez_west_coast_trial_lawyers.pdf

embarassing_porno_filename.mp4

And this is a smalls subset of filenames that could not only provide PII but also potentially embarrassing or private information that isn't identifying but would be accompanied with files that are personally identifying.

Just from looking at my own documents folder, "Stephen Tordoff - ESA Appeal SSCS1.pdf". That would reveal that I have a disability, and that I am (or have) claiming benefits for it. Not everyone would be happy with that being public knowledge, and I'd be less that thrilled if things like it were shared with Facebook for no reason.

URLs, of which file names could be considered a subset, are definitely considered PII.[0]

[0] https://cphs.berkeley.edu/hipaa/hipaa18.html

I’ve worked for multiple FAANGs and can assure you that all have considered file names to be PII. Pretty much anything that contains user input should be treated as PII.

Modern business vocabulary has shifted from "Dear Mr. LastName," to "Hi FirstName!". This shift happened first in more "trendy" places, although most everyone has already moved on to using informal language in customer relations.

I do agree with your point about banality of evil.

Backblaze is role-playing 'trusted friend' on twitter the same way McDonalds and Wendys get into 'fights' on twitter. It's just corporate playbook stuff; I wouldn't say it's a conspiracy. Here's the latest posts on backblaze's twitter: https://i.imgur.com/mMkylym.png

Absolutely. Better to focus on what actually matters, and keep the action dense.

Dear Mr. rPlayer,

Please update your signature to conform with the current standards, as outlined in the last month's circular.

Best Regards, TeMPOraL

--

TeMPOraL, Internet Compliance Officer (ICO)

ACME LLC - Synergizing Creative Accounting

ACME LLC, NaN NaN, Null Islands.

The content of this message is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.

Please do not print this message unless it is necessary. Every unprinted message helps the environment. Think of the trees!

I don't use twitter so I don't know what the etiquette over there but outside of emails I wouldn't normally expect any salutation in an internet message.

So for me it's not so much that the salutation not formal enough, it's more that it's odd that it exists at all.

But then again maybe usages differ in twitterworld.

They could have just left off the greeting.

Exactly... all my b2 files are client side encrypted. It would be a really bad idea not to do that.

Hmm. A possible counterargument: filenames like

  dRDDrOu44Rr84vzXJv2mcr2eg83zDN43mzUQ0N4
  xzrI5Ha7HJ7gK3T8XfkGqNtvc7LMQPFjSwi
  5Wb1XhHeR6LxQUC8XfyX9kvvooYvrp9fnxQVvH9C
  jgAzjd56DGWFjcae0gw9A1LZxJEqVHW7UmkZ
  XrpNNAZalPp6D4mnpLvVcCE3uWkDQzthSQwK9

are extremely suspicious-looking. To me that screams "obsessively paranoid". I reckon that if I were in law enforcement, the fact that there is absolutely nothing I can infer from these filenames, combined with the obvious complexity associated with correctly maintaining something like this, would actually make me that much more interested in decrypting this information simply to take a look at it and rule it out.

Which is exactly why this would be a scenario in which I _would_ want to "reuse someone else's password", if you will, and I'd theoretically go digging for common archival file patterns, and use the most common I came across.

rsync.net was posted here on HN a few days ago. Also, tarsnap is another popular service. Neither have the special additions that makes Backblaze so popular, but could be popular alternatives.

Can someone here translate the PR/marketing speak here for us mere mortals? How does having Facebook tracking on the web front-end of existing and paying users help with lead generation?

Some might find this tweet useful for the time being:

> What happens if you resolve http://facebook.com to 127.0.0.1 via hosts-file? (Or put it into your Pi-Hole DNS Ad-Blocker, or the like.) Does the Backblaze UI still work?

> Answer: Seems to work well. You need to add the main domain and sub domains (www. in this case), btw.

Including the filenames seems to have been unintentional, looks like they were logging analytics to Facebook, probably an even (form submission) but uploaded the form html with contents.

But why they need to submit that to Facebook for paying users I don't understand. The only thing I can think of is excluding active users from advertising... But is that worth the privacy intrusion?

This.

Yev, if you are not in the upper management chain of Backblaze, please show mnw21cam's message to someone who is.

The problem is not that there was a little bug which caused the Facebook tracker to get a few little pieces of information it shouldn't have.

The problem is that Backblaze failed to understand how to distinguish appropriate and inappropriate uses of third-party trackers for signed-in users on a security-critical application. The Facebook pixel should never have been there at all. It shouldn't even have been considered. It should've been an absolute no-brainer that Facebook has no business being on secure pages on a critical infrastructure service for paying customers.

The fact that the pixel even showed up at all on a logged in page represents a breach of trust for customers and casts doubt on Backblaze's competence in handling security issues. This warrants a serious reply from the CEO, not a copy-pasted meaningless reassurance.

"What you have right here and right now is a public relations disaster. Trust in your brand has been damaged. It cannot be repaired by you providing minimal information."

I'm not sure that's true.

There are a number of barely-technical subreddits, typically centered around Plex or some flavor of bittorrent, that consist of an all-day-every-day request for "as much cloud storage as possible for the lowest possible cost and please say it's free".

These are not HN readers. It's as if they attained consciousness two minutes ago and one minute ago they decided they needed cloud storage.

This is the audience these kind of analytical tools are geared toward and I don't think this changes their "engagement" or their "convertibility" or their "lifetime value".

The real information here is that in 2021, and in conjunction with a much more sophisticated product offering (B2), Backblaze is very aggressively pursuing flat-rate, loss-leaders who can be influenced and targeted by facebook.

Draw what conclusions from that you will.

While on a personal level I agree with you, there is a saying in Dutch: "je moet niet wrijven in een vlek", which translates to "don't rub in a stain".

Sort of like the Streissand Effect; if BB starts posting press releases about "breaching trust", filled with apologies, the audience that will become aware of this issue will be a lot bigger than it currently is.

So from a PR persepctive, a one line low key "we pushed a fix" reply makes total sense.

Yev here -> re: fixing the issue - we removed the offending code from the logged in web pages. Rest assured that we have are taking this very seriously internally and we will continue to investigate and provide updates as we have them.

Well, for many of us this is where it starts:

I might very well start using backblaze next year or maybe even next month[1], but that is depending on the outcome of this event.

For a comparison: one good friend once called med to apologize that he had been laughing behind my back with some friends.

Guess who I definitely trust today? The one admitted his mistake. He always was a nice bloke and I guess he will never ever do anything like that ever again.

[1]: I won't start using it this week or the next however.

Yev here - Tobr, thank you for being a customer. Wanted to let you know that we've updated our blog post after finishing our root cause analysis. You can read about what happened here: https://www.backblaze.com/blog/privacy-update-third-party-tr....

Yev here -> thanks for being a customer! We've finished our root cause analysis and updated our blog post with additional information -> https://www.backblaze.com/blog/privacy-update-third-party-tr....

I wouldn't judge a company based on their Twitter engagement. Twitter is a really dumb place.

Yev here -> I think part of that was a mistake on the Twitter side of things. We've published a blog post with information after finishing our root cause analysis -> https://www.backblaze.com/blog/privacy-update-third-party-tr....

Same, I'm out. Who are you moving to?

Is it smart to tell people that you are leaving before you actually backed-up and moved you data in the new place!?