Firm: Facebook 'bug' worse than reported; non-users also affected

Firm: Facebook 'bug' worse than reported; non-users also affected

Summary: According to the firm who found the bug, Facebook's email to six million users affected by its shadow profiles leak left out some numbers. Plus, non-user contacts were also leaked. UPDATED with Facebook responses (inline).

SHARE:

The security researchers who found Facebook's shadow profiles vulnerability have compared their numbers to what Facebook told its users in emails, and the numbers don't match.

They say Facebook told users the data exposure is much less than what the researchers found, and the researchers also say Facebook is hoarding non-user contact information — seen when it was also shared and exposed in the leak.

Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests. 

facebook shadow profiles

Since at least 2012, Facebook users who used the Download Your Information (DYI) tool to get their data history record also got an address book with contacts users had never provided to Facebook.

Facebook explained the issue to ZDNet Sunday after user anger exploded — saying that when a Facebook user uploads an address book, the social network obtains all contacts in the user's database and saves all of them.

Users are still furious and were unaware that their not-for-sharing, offsite phone numbers and email addresses are being collected, stored, secretly matched to them (and now accidentally shared) by Facebook.

In its Friday email, Facebook disclosed the security and privacy flaw to users, but no one knew that Facebook's email wasn't telling the whole story — except security researcher Michael Fury (who originally found the vulnerability) and colleagues at Packet Storm Security (and anyone quietly exploiting the data breach).

Because Packet Storm had prior test data verifying the leak, they were able to compare what they knew was actually being revealed in the DYI reports against what Facebook reported to its users via email — as well as what Facebook told the press.

Packet Storm wrote in Facebook: Math of the Aftermath,

We compared Facebook email notification data to our test case data. In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed.

For another individual, they only told him about 3 out of 7 pieces of data were disclosed.

It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.

The statement that "No other info about you was shown" seems to be a red herring. We asked Facebook what this means for non-Facebook-users who had their information also disclosed.

The answer was simple — they were not contacted and the information was not reported. As a billion users upload their contacts, their associates on and off of Facebook will all become stored and correlated.

At this point, Facebook may have email addresses and phone numbers on everyone, Facebook user or not.

When reached for comment about Packet Storm Security's "Math of the Aftermath" post, Facebook declined to comment saying that all it had to say on the matter was in its Friday blog post - a repeat of the information Packet Storm is contradicting.

The social network said that it obtains and matches the offsite-sourced data to user profiles — creating shadow profiles — "to better create friend suggestions" for the user.

This appears to be the first time Facebook has publicly admitted that users' shadow profiles contain more than native data (such as posts or information you deleted but are retained by Facebook) and also contain data that Facebook is harvesting from other users.

After last week's experience, Packet Storm believes that Facebook is compiling "frightening" shadow profile "dossiers on everyone possible" — including people without Facebook accounts.

Troubled by their difficulties trying to talk to Facebook about its users' private data, user consent and high risk data retention practices, Packet Storm wrote in its Friday post, Facebook: Where Your Friends Are Your Worst Enemies:

When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded.

However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people.

In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.

(...) Our first question asked that, in the name of common decency and privacy, would Facebook ever commit to automatically discarding information of individuals that do not have a known Facebook account?

Their response was essentially that they think of [all] contacts imported by a [single] user as the user's data and they [Facebook] are allowed to do with it what they want.

Disturbingly, Facebook declined to answer many of Packet Storm's crucial questions, and at one point Facebook actually told Packet Storm that Facebook stood on First Amendment rights with this data collection policy.

The policy being that in this area, your data is not yours; it belongs to your friends, and by its rules your friends — or merely people you know — have more control over your data than you do.

Facebook's DYI history feature rolled out October 2010 to more than 500 million Facebook users over the span of a number of months. Lawyers wrote about using DYI as a discovery tool for court cases, for both clients and adversaries.

A month after Facebook's DYI history download tool was rolled out to 500 million users, November 2011, the U.S. Federal Trade Commission (FTC) settled its complaint with Facebook regarding changes the site made in 2009 in regard to user privacy that the Federal government called “unfair and deceptive.”

According to the 2011 agreement, Facebook: “shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information.”

In addition, Facebook was ordered "to notify users and obtain their consent before sharing any information" that “materially exceeds the restrictions imposed by a user’s privacy setting.”

This meant that Facebook would need users to consent before it shares their data in a way that is different from how users initially agreed.

Unfortunately, it didn't say anything about data or information Facebook obtains from a user's friends, retained and shadow-profiled under the banner of "making better friend recommendations."

In December 2011, Max Schrems of Vienna, Austria, went a step further than downloading his own information and sent a formal request to Facebook citing European law and asked for his data. He received a CD with 1,222 files.

The unsettling detail of his Facebook dossier included items he'd deleted: likes, unlikes, and a plethora of information on his friends' activities and even their whereabouts at any given time.

As of June 2013, there are 1.11 billion Facebook users, with 665 million active daily. Its 2012 revenue was $5.09 billion. The number of people who utilized the Download Your Information tool in 2012 is unknown; when reached for comment on frequency of use, Facebook told ZDNet the DYI numbers are not made available publicly.

We will likely never know how many people obtained Facebook's shadow profile data on others. 

In their most recent post, Packet Storm cautioned that beyond the egregious privacy violations in Facebook's claims to ownership of data on users not obtained with their consent, or the dossiers being built on people who aren't on Facebook:

We may never know the true numbers surrounding the disclosure but the liability of housing this additional data appears obvious.

Governments aside, history shows that Facebook has been successfully targeted by Chinese hackers and known malicious hackers.

Topics: Security, Data Management, Government US, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Who is Facebook's customer....What does Facebook sale?

    Facebook...Givesaway profiles for "FREE"
    Facebook...store data for "FREE"
    Facebook....lets you share photos for "FREE"
    Facebook....lets you message your friends for "FREE"

    What does Facebook sale
    Facebook trys to make you buy gift for your friends.
    Facebook sales screen space on the user's screen---ads.

    The user is NOT Facebook's customer......
    somethingtothinkabout
  • This is SO simple ...

    Don't do social media ...
    David_Hedricks
    • Better tell that to all your 'friends', too.....

      This data-gobble includes us 'non-FB-users', as well. FB/NSA doesn't like it that some of us refuse to 'join in' social media.
      hippiekarl
    • golden oldie but a goodie

      http://web.archive.org/web/20001109204800/http://www.cryptonym.com/hottopics/msft-nsa/msft-nsa.html

      Long ago but not forgotten
      I never recommend socmed. in the u.s. info is never used on your behalf, only against you. They tend to weaponize everything. Kind of a sickness.

      Then again how can you trust a guy who betrayed a relationship to start the business. Then made the claim that all your pics belonged to him/the company.

      I would guess the NSA backdoor program that puts all the related links together for the DAILY DUMP was sitting in cache and the user fetch picked up an existing cached collection based on the username.

      How can you expect a business with the mind of a thief to do a conscientious job on protecting people when his mind is busy preying on them?
      newcustomer@...
    • And don't...

      Don't give your phone number, email, address, or anything else to your friends either. Turn you phone and internet OFF. See, this is how it works. All your friends have your number and maybe email, address, etc.. in their contacts on their phones. They download the FB app and sign in to set it up. They choose to upload their contact list into their FB account and voila... your info is now in FB's servers, even if you don't have an account. FB collects all this data as "shadow profiles"... then FB has a bug, and voila, there goes your information.

      So "don't do social media" doesn't save you. The less we do the better they get at figuring out how to get your information anyway.
      waterhzrd
  • who is goign to go after facebook

    I wish that governments and private companies could be treated equal when it comes to privacy.
    the US government can legally spy on people, can do this for years and still call it the WAR ON TERROR.
    Facebook can do it too, saying they own any data stored on their servers, likewise google and any other company can do this.
    i just wish that the courts would stop looking at facebook and other companies, or the government, as revenue generating and would force them to shutdown operations and finally put people into prison who deserved t, but not just a slap on the wrist. Privacy seems to be taken lightly in the USA, nobody likes invasion, but nobody is doing anything about it, least of all the people who have the power to do so.
    Wish hacker would finally do enough damage to actually cause some uproar that is beyond shouting, more like doing something for a change. sheeesh
    PINASCOPY