Security company Packet Storm criticizes Facebook for downplaying bug that allowed access to potentially sensitive information
By Ted Samson
Bad news for privacy-conscious souls who’ve tried to keep their personal data out of Facebook’s deep info troves: The company has suffered a massive data leak affecting not just millions of its users, but also an undisclosed number of users who might not even use the social networking site. Compounding the problem, security company Packet Storm — which first reported the data leak — is accusing Facebook of downplaying the scope of the leak, to the point of being “antithetical to [its] own aspirational goal in winning consumers’ trust.”
“As a billion users upload their contacts, their associates on and off of Facebook will all become stored and correlated,” warned Packet Storm. “At this point, Facebook may have email addresses and phone numbers on everyone, Facebook user or not.”
To understand the nature of the Facebook data leak, you first need to know that Facebook lets you upload your contacts’ information (name, phone numbers, and email addresses) and that you can request for Facebook to generate a report containing all the information it has about you. The report includes a file called addressbook.html, which contains the contact info you’ve provided. That’s simple enough.
The problem is, for about a year, whenever Facebook generated a user-requested information report, it wouldn’t just include contact info the user had uploaded; it would also include all the information in Facebook’s data stores associated with that contact, regardless of who uploaded it. Say you gave 10 acquaintances just your work email address, and they added the info to their contact lists and uploaded it to Facebook. Say you also gave a special someone both your work address and personal email address, along with your private mobile number, which she added to her contact list and uploaded to Facebook. Thanks to the back-end bug, if any of those first 10 acquaintances requested their information report from Facebook, their reports wouldn’t just include your work address — it would include your personal address and mobile digits as well.
Facebook has since emailed 6 million users potentially affected by the bug, alerting them to “a technical bug [that] caused your telephone number or email address to be accessible by another person.” It goes on to specify which contact information may have been leaked and an estimated number of Facebook users who may have seen it. “No other info about you was shown and it’s likely that anyone who saw this is not a stranger to you, even if you’re not friends on Facebook,” the letter read.
Though the folks at Packet Storm commended Facebook for alerting users to the leak, they’re taking the social network to task for several reasons. First, they’re accusing Facebook of downplaying the potential scope of the leak to users. “We compared Facebook email notification data to our test case data. In one case, they stated one additional email address was disclosed, though four pieces of data were actually disclosed. For another individual, they only told him about three out of seven pieces of data disclosed,” according to the Packet Storm blog.
“Facebook claimed that information went unreported because they could not confirm it belonged to a given user,” the blog post continues. “Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the ‘bug’ when it compiled your data.”
Second, Packet Storm is questioning Facebook’s decision not to alert non-Facebook users who may have been affected. “We asked Facebook what this means for non-Facebook-users who had their information also disclosed. The answer was simple … Facebook felt that if they attempted to contact non-users, it would lead to more information disclosure,” according to Packet Storm. “Given that they already masked the disclosed information in the email, we feel this is a weak, circular argument. If masking is good enough for their users, why isn’t it for non-users?”
Third, Packet Storm questioned Facebook’s approach to storing any and all user-uploaded contact information in the first place: “[T]he liability of housing this additional data appears obvious,” according to the company, not only in light of the recently revealed government surveillance programs but also the fact that the company has been “has been successfully targeted by … malicious hackers.”
Packet Storm laid out a solution for Facebook and social networking sites to consider for addressing this particular user-data problem. In a nutshell, if a user uploads a contact’s information, the contact should be able to decide whether or not Facebook may store the data. If the contact denies permission — or doesn’t respond within a week — the data gets purged.