Facebook bug discloses user info, existence of shadow accounts

6 million Facebook users have been affected by a flaw that resulted in the email addresses and phone numbers associated with their accounts being shared with any friend and contact that used the company’s Download Your Information (DYI) tool to download an archive of his or her Facebook account.

According to the notice posted by Facebook on Friday, the glitch, which has since been fixed, allowed users to even download email addresses or telephone numbers not connected to any Facebook users or even names of individuals.

How could this happen, you wonder?

Well, as it turns out, when users share with Facebook their phone contacts, the company uses the information to suggest friends already on Facebook, but also keeps the information and associates it with those contacts’ accounts, creating thusly a sort of “shadow profile” for every user.

Packet Storm has a great explanation of how the bug could be misused:

Two bits of functionality must be leveraged in order for this to work – the DYI (Download Your Information) functionality and the ability to upload your contacts.

The flow is simple. Upload your contacts and then go to Download Your Information under Account Settings and choose the link at the bottom to get your Expanded Dataset.

Hours pass and eventually a link is emailed stating your download is ready. When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded. However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people.

In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.

The flaw was discovered by a researcher that reported it to the Facebook White Hat program, and was apparently present since 2012.

“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” the company noted, adding that “no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”

Privacy-minded users have taken to online forums to express their outrage at the fact that Facebook keeps all this data about themselves – data that they perhaps have intentionally not shared with the social network, but were nevertheless harvested from other users’ contact and tied to them.

ZDNet‘s Violet Blue and Packet Storm pointed out the problematic ways in which the glitch might have been misused by individuals set on harassing other (known and unknown) people, but unfortunately there is not much one can do about all this.

“I would consider deleting my account, but based on the fact that this affects me regardless of whether or not I’m a user just makes the decision an exercise in futility. I hope that Facebook takes into account the adverse effects of their behavior and brings our questions back to the decision making table,” commented the latter.

The problem is that whether users have given permission for Facebook to collect this data or not (they have – it’s says so in the Terms of Service and Privacy Policy), the data is technically not theirs, but Facebook chooses not to see it that way.

The glitch may be fixed, but the shadow accounts will still be there.

“They have the ability to make a really positive change that sets the standard in the valley for security of user data. Alternatively, another social networking site might take this opportunity to highlight that this behavior will not happen on their systems, and a mass exodus of Facebook may occur, though we doubt that very much,” say the security enthusiasts at Packet Storm. “What we need are governments to enact legislation that forces the hand, but given recent news items in the United States, it is clear that not all governments are making this a top priority.”

Don't miss