Facebook has plugged a privacy hole in its Pages Manager application for Android.
Facebook Pages help businesses establish a presence on the social network, while the app enables an admin to manage posts, respond to comments and messages, push notifications to customers, manage photographs and more. Facebook Page Manager for Android is a free app and has been installed at least 5 million times according to its Google Play page.
The vulnerability was in the app’s Messages feature, which is used for private communications between a manager and customer. Any photographs attached to a message were also appearing on the wall of the Page.
Android Police, a blog dedicated to Android, reported that the patch was installed server side at Facebok and no updates to the app were necessary. Facebook’s engineering team told the blog that it was looking at photos marked private that were appearing on public walls and would take them down.
A Facebook security team member told Android Police that the patch repairs an issue that was introduced a week ago by Facebook’s developers.
“There’s some overlap between security and privacy, and while this may not have been a vulnerability for an attacker to exploit, it’s certainly the sort of issue we’d want to know about,” Facebook told Android Police.
Facebook has had an uphill climb with regard to privacy, especially since its users are essentially its product. While publicly saying it prioritizes the privacy of its users, the company still leverages user information for targeted, contextual advertising and is looking into location-based marketing as well, all of which has privacy advocates nervous.
Facebook chief privacy officer Erin Egan said during a panel at RSA Conference 2013 that Facebook is examining contextual privacy interfaces.
“It will come down to contextual controls at the moment people are engaging with a service where they can determine what they want to share at that moment,” Egan said.
And then there are new products from Facebook such as Facebook Graph Search, a new search interface that enables very narrow, plain English queries of Facebook Friends. Security professionals are nervous because tools such as this are another arrow in a hacker’s quiver, especially for those proficient in identity theft or building targeted attacks. Mining of social media data is often an attacker’s first step in building victim profiles for phishing and spam campaigns, for example.
Egan told Threatpost at RSA that her teams help evaluate products from the early stages of development as part of cross-functional internal organizations that include information security and legal.
“We look at every product feature as a team and look at all of the complexities (regulatory and legal) and analyze them together,” Egan said. “The way to manage and understand all of those complexities is to bring in experts in each area to analyze each product and feature review.”