An information disclosure bug has drawn back the curtain on some of the data correlation Facebook does with users’ contact details and opened the social network’s policies up to criticism.
Facebook said the bug in its Download Your Information (DYI) tool has been repaired but not before six million users had their email addresses and phone numbers inadvertently shared with others.
A researcher reported the bug to security site Packet Storm who shared details with Facebook last week. Facebook said it shut the DYI service down for a day for repairs before turning it back on.
Facebook users are able to upload their contacts to the social network and retrieve them as an archive through the DYI tool. The archive, called addressbook[.]html is supposed to contain just the contacts you uploaded, but instead was returning contact details from other users if they had the same email address or phone number in their contact upload.
“In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information,” a post on the Packet Storm site says. “It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.”
Facebook said it correlates user contact information to make friend recommendations.
“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said in a message from its White Hat program. “Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again.”
The White Hat program facilitates vulnerability disclosures for security researchers and manages the social network’s bug bounty program; the minimum payout if $500 and Packet Storm said Facebook did pay up for the DYI bug.
Facebook and other major technology companies such as Google, Microsoft and Apple have gone on the defensive recently, distancing themselves from the so-called PRISM program where the government allegedly has been receiving users’ personal data from each of the companies. Facebook and the others said the government has no direct access to infrastructure or data and provided some insight into how many warranted requests for user data it receives.
Packet Storm, meanwhile, shared some details of its discourse with Facebook on the DYI bug. It said Facebook considers users’ contact information the users’ data and they can do what they want with it regardless of whether they’re sharing someone else’s personally identifiable information. Facebook, Packet Storm said, also used the same reasoning when asked if they delete data uploaded by friends if it is not in accordance with the user’s privacy settings.
“The request for privacy controls around my personal data does not seem unreasonable. For one, a contact list may be my friend’s list, but the data is mine. When Facebook stores a credit card number for me, I’m certain they understand very clearly that it is my data and they are a custodian of my data,” Packet Storm said. “The same should apply to a contact list uploaded by someone. It is still my PII (Personally Identifiable Information) regardless of who puts it there and Facebook is still correlating it to my identity, ready to be compromised by malicious parties.”