Facebook Security Bug Exposes Your Private Info

By Josh Bickham

More than 6 million Facebook users and non-Facebook users private contact information is exposed by security bug.

Last week Facebook acknowledged the existence of a security bug that has been shrouded deep in its servers for the last year.  Facebook first reported to its users that the bug inadvertently exposed the contact information of some 6 million personal accounts.  But it seems as though Facebook isn’t admitting all the facts, and the leak of private information has extended much deeper and affected the private contact information of Non-Facebook users as well.

The security bug was first found by independent researchers, a company called Packet Storm Security, through Facebook’s White Hat program.  The White Hat program awards a bounty of cash value to security researchers who find bugs in Facebook’s systems and reports them.  There is an extensive list of qualifications these researchers must meet in order to collect the bounty, the minimum reward is $500 and increases the more creative and the greater the security threat the bug or glitch poses.

This bug is related to the social network’s friend discovery process, and allowed the private email addresses and phone numbers to be viewed by people who “had some contact information about that person or some connection to them.”

Facebook posted how the bug worked in a recent blog post:

“When people upload their contact lists or address books to Facebook, we try to match the data with the contact information of other people on Facebook in order to generate friend recommendations.  For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

The bug caused some of the data used to connect with friends to be stored alongside a person’s contact information.  By using the ‘Download Your Information’ tool, people were granted access to a user’s private email address and phone numbers that would otherwise be hidden”

What!?  Relax and we’ll break it down.

The ‘Download Your Information’ tool is a feature that allows you to download all of your Facebook account data into a single file that includes everything from timeline info, posts, messages, shared photos and any other personal information you’ve included in your profile.  The file can then be used to upload to other online services or to use as a back-up of your profile.

The problem is that the bug downloads your friend lists and their contact information, and it downloads the contact information that your friends have set to private, as well as the private contact information of friends associated with your friends.  That means even if you are not “friends” with a person, because you are a “friend” of their “friend”, they could possibly have had access to your private contact information through this data download.

But Packet Storm Security began to compare their reports with the reports that Facebook was giving to the public, and they didn’t match up.  Packet Storm’s data reports that the bug not only exploited Facebook users, but Non-Facebook users as well.

How did that happen?!

Even if you don’t have a Facebook account, chances are your friends have your phone number or email address in their phone or email contacts list.  When you import contacts from your phone or from an email to help you find friends on Facebook, the contacts in your address book that don’t have a Facebook profile are stored on Facebook’s servers.  This is done so that you may send these friends invites to join Facebook.  But because the bug exploits your contacts list, it merged any user and non-user contact information imported from your phone or email and associated it with your account, making it all available through the ‘Download Your Info’ tool.

Not only does the fact that Facebook’s failure to report this information to the public have them in an uproar, and albeit rightfully angry, but it proves that Facebook is collecting and hoarding personal information of people who have chosen not to associate themselves with the company.  One could almost consider it as an invasion of privacy.


Facebook has deactivated the ‘Download Your Info’ tool until the bug can be isolated and removed, and has assured the affected users that none of the information has been used maliciously.  But since the bug has affected Non-Facebook users as well, it’s unknown the extent of the damage, especially since Facebook is obviously obscuring the facts.

There is an option in Facebook for you to delete any non-user contact information so that it will no longer be associated with your account.

By going to the following link you can delete the entire list of imported contact information; this will not delete any current friends, but may make future friend suggestions less relevant:

https://www.facebook.com/contact_importer/remove_uploads.php

You can also access your list of imported contacts by going to this link and delete individual non-user contacts that have been “Invited” and haven’t accepted, or “Not-Yet Invited”.

https://www.facebook.com/invite_history.php

It is important to note that contacts from your phone will automatically be re-added if you do not disable the contact sync feature first by going to:  Settings > Facebook > Toggle Contacts to “Off” > Update All Contacts.  Then go to the above links to delete non-user contacts. (iPhone users)

Advertisements

5 comments on “Facebook Security Bug Exposes Your Private Info

  1. Pingback: Second Generation of Invasion Into Our Personal Information | pushinback

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s