Backblaze B2 Leaks Metadata to Facebook
@backblaze’s B2 web UI seems to submit all of the names and sizes of my files in my B2 bucket to facebook. I noticed because I saw “waiting for facebook.com” at the bottom while trying to download a backup…
?!?!?!?
I even opted out of their tracking widget thing!
Believe that’s the Facebook pixel we use for tracking, we’ve forwarded to our web team for review in case that is not intended behavior.
[…]
An update on the fix we pushed: we removed the offending code from the logged in web pages.
[…]
The pixels we use are primarily for audience building when we advertise on other platforms like Facebook for example. You can read about it in our terms[…]
The “Advertising Cookies” section says that you don’t use them. Then in the FB section, you say that it’s so people can easily share pages and content the user finds interesting. Then you slip in a catch-all “we may use it for advertising”.
I hope you realise this isn’t a ‘frontend issue’, but a security breach. As a customer with sensitive data, I don’t want you ‘pushing a fix’, I want you to do a full review of how this happened, and a process to not let 3rd party trackers access user data ever again.
Regrettably, this is just another example of Backblaze’s inability/unwillingness to follow basic software development best practices. To those saying “they should notify all users”: they should, and they probably won’t, because they haven’t before.
There is a long history of engineering problems. Just one example: it seems to still be the case that the Backblaze client reports files as successfully backed up as many as eight hours before they are actually committed to the server. If something happens to your Mac in the interim, you won’t be able to restore them.
Previously:
- Arq 7
- Backblaze bzfileids.dat Scaling and Little Snitch
- Backblaze Mails Unencrypted Hard Drives
- Begemann’s Backblaze Review
- What Backblaze Doesn’t Back Up
Update (2021-03-23): Backblaze:
We take the privacy of our customers’ data and personal information very seriously and have made completing the root cause analysis a top priority. Our Engineering, Security, and Compliance/Privacy teams—as well as other staff—are continuing to investigate the cause and working on steps to help ensure this doesn’t happen again. We will update this post as we have more information to share.
2 Comments RSS · Twitter
The right thing to do would be to remove the Facebook pixel completely. Those in California should consult legal counsel to see if CalOPPA applies. Another thing to look into is to see is setting a passphrase actually protects your data. Backblaze is not a company that is UX-focused or pays much attention to detail.