Facebook Flaw Leaks 6m Users’ Data

A flaw in the way Facebook lets people upload contacts and download their information has been left open for months, leaking information including contact details for six million people.

Labelled a “good old-fashioned data-mismanagement leak”, the flaw over-shared information when users downloaded their data. Along with the user’s own data, Facebook served up contact information about friends of friends, and other contacts in other users’ networks. That included contact data for people who were not on Facebook at all.

Facebook vulnerability

“Some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook,” a blog post from the social network’s security team read.

“As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”

Approximately six million Facebook users’ email addresses or telephone numbers were shared, Facebook said, along with contact details that “were not connected to any Facebook users or even names of individuals”.

It attempted to assuage any user ire by noting “each individual email address or telephone number was only included in a download once or twice” and no other personal data was exposed. Furthermore, there were no reports that the information had been abused by people who received it.

However, Packet Storm, which shares threat information and has been looking into the bug, said it found uploading just one public email address for a single user could “reap a dozen additional pieces of contact information”.

“Concerns still remain about the fact that dossiers are being built on everyone possible,” a post on the Packet Storm website said.

“The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening.”

The company approached Facebook, asking if it would ever commit to automatically discarding data of individuals who do not have a known Facebook account. Facebook said no, as contacts amount to user data submitted to the company, and it is “allowed to do with it what [it] wants”, according to Packet Storm.

It also asked Facebook if it would delete data uploaded about users via third parties, including friends, if it’s not in line with their privacy settings. “We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation,” the company added.

Like Facebook? Try our quiz!