It would seem that a bug in Facebook’s Download Your Information tool that exposed personal information for six million users of the social network also extends to non-users who happen to be in a contact list uploaded to the site.
Facebook said it has repaired the bug and began informing users this week of the situation. But according to security site Packet Storm, which worked with a researcher to report the bug to Facebook, the social network is downplaying the impact of the exposure to its users.
Packet Storm compared its data to what Facebook included in email notifications to users, and said the scope of the issue is being underplayed.
Users are able to upload their contacts to Facebook, which then correlates that information, matching phone numbers or email addresses to make friend recommendations with other Facebook users. Users are able to retrieve an archive of their contacts via the Facebook DYI tool. The bug was returning not only a user’s contacts but contact details for other users whose data had been matched by Facebook.
The problem occurs when one user has multiple contacts for the same person on their contact list beyond what they used to register their Facebook account. This could result in multiple returns for the same person, or even contact information belonging to people who don’t use Facebook.
“In one case, they stated one additional email address was disclosed, though four pieces of data were actually disclosed. For another individual, they only told him about three out of seven pieces of data disclosed,” Packet Storm said today on its site. “It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure.”
Packet Storm added that Facebook said it did not report the total scope because it could not confirm that information belonged to a given user.
“Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the ‘bug’ when it compiled your data,” Packet Storm said. “It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.”
Packet Storm runs through an illustration of the bug on its site. Basically, it involves a user who registers with Facebook using a free email service, and does not associate a phone number to his account. A friend of his uploads their contact information that includes the first user’s phone number and a different email address. A third person, who does not know the first person, adds the free email address to their Facebook contacts. When the third person retrieves their archive, rather than retrieving just what she uploaded, the archive contains the phone number and different email since it’s all been correlated since.
“What we believe Facebook should have done was emulate the DYI process and enumerate through their data to see what else was being disclosed indirectly, and after a first pass, enumerate again with the new data to develop a more comprehensive data set similar to what we found while testing,” Packet Storm said. “As the notifications to the user masked the information, any erroneous information would not have caused any extra data leak. We asked Facebook if they enumerated the information in hopes that their reporting had a bug but we were told that they only notified users if the leaked information mapped to their name.”