Facebook bug leaked more info than company reported?
Last Friday, Facebook tried to make its latest disclosure of an information-leaking bug as low-key as possible, but luckily there were researchers who actually analyzed the bug and the type of information it leaked before it was fixed.
The security enthusiasts at Packet Storm have noted and pointed out the dangers that some users might have been in due to the glitch in the DYI (Download Your Information) tool that would allow users to see their contacts’ data that was previously hidden to them – contact information from uploads other users have performed for the same person.
The glitch also unearthed a previously unknown fact: Facebook is building “shadow profiles” for ever user – and for non-users, as well.
Also, in their Friday announcement and the notification email sent to affected users, they said that in almost all cases, an user email address or telephone number was only exposed to one person – “someone you already know outside of Facebook”.
But according to Packet Storm, that’s not true.
“We compared Facebook email notification data to our test case data. In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure,” they pointed out on Wednesday.
“Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used it’s own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the ‘bug’ when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.”
In their post, they presented a very good and very likely explanation of the ramifications of the Facebook data collecting practices and how Facebook might have come up with that small number, and I must admit it paints a chilling picture.
“We may never know the true numbers surrounding the disclosure but the liability of housing this additional data appears obvious. Governments aside, history shows that Facebook has been successfully targeted by Chinese hackers and known malicious hackers,” they pointed out.
Also, the information collected from users is not only about those contacts who use Facebook, but also about those who don’t. This makes me even more uncomfortable, because most of the people I know who don’t use Facebook have chosen not to open an account because they are worried about the privacy ramifications of doing so.
And, according to Packet Storm, Facebook has confirmed that even if they have information about these people, they won’t notify them of the leak – after all, they are not users. According to Facebook’s logic, the information that users have (knowingly or unknowingly) shared about their contacts with Facebook belongs to the users, not the contacts.
The researchers have shared with Facebook some suggestions on how to prevent information about non-users from being unintentionally shared, collected and stored, but I won’t bet on Facebook listening.
Finally, as a small sidenote: Symantec says that the Facebook application for Android leaks device phone numbers.
“The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen,” they pointed out.
“We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release. They stated they did not use or process the phone numbers and have deleted them from their servers.”
Needless to say, in light of all these previous disclosures, I won’t bet on that last statement being true either.