Firm: Facebook 'bug' worse than reported; non-users also affected

According to the firm who found the bug, Facebook's email to six million users affected by its shadow profiles leak left out some numbers. Plus, non-user contacts were also leaked. UPDATED with Facebook responses (inline).
Written by Violet Blue, Contributor

The security researchers who found Facebook's shadow profiles vulnerability have compared their numbers to what Facebook told its users in emails, and the numbers don't match.

They say Facebook told users the data exposure is much less than what the researchers found, and the researchers also say Facebook is hoarding non-user contact information — seen when it was also shared and exposed in the leak.

Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests. 

facebook shadow profiles

Since at least 2012, Facebook users who used the Download Your Information (DYI) tool to get their data history record also got an address book with contacts users had never provided to Facebook.

Facebook explained the issue to ZDNet Sunday after user anger exploded — saying that when a Facebook user uploads an address book, the social network obtains all contacts in the user's database and saves all of them.

Users are still furious and were unaware that their not-for-sharing, offsite phone numbers and email addresses are being collected, stored, secretly matched to them (and now accidentally shared) by Facebook.

In its Friday email, Facebook disclosed the security and privacy flaw to users, but no one knew that Facebook's email wasn't telling the whole story — except security researcher Michael Fury (who originally found the vulnerability) and colleagues at Packet Storm Security (and anyone quietly exploiting the data breach).

Because Packet Storm had prior test data verifying the leak, they were able to compare what they knew was actually being revealed in the DYI reports against what Facebook reported to its users via email — as well as what Facebook told the press.

Packet Storm wrote in Facebook: Math of the Aftermath,

We compared Facebook email notification data to our test case data. In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed.

For another individual, they only told him about 3 out of 7 pieces of data were disclosed.

It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.

The statement that "No other info about you was shown" seems to be a red herring. We asked Facebook what this means for non-Facebook-users who had their information also disclosed.

The answer was simple — they were not contacted and the information was not reported. As a billion users upload their contacts, their associates on and off of Facebook will all become stored and correlated.

At this point, Facebook may have email addresses and phone numbers on everyone, Facebook user or not.

When reached for comment about Packet Storm Security's "Math of the Aftermath" post, Facebook declined to comment saying that all it had to say on the matter was in its Friday blog post - a repeat of the information Packet Storm is contradicting.

The social network said that it obtains and matches the offsite-sourced data to user profiles — creating shadow profiles — "to better create friend suggestions" for the user.

This appears to be the first time Facebook has publicly admitted that users' shadow profiles contain more than native data (such as posts or information you deleted but are retained by Facebook) and also contain data that Facebook is harvesting from other users.

After last week's experience, Packet Storm believes that Facebook is compiling "frightening" shadow profile "dossiers on everyone possible" — including people without Facebook accounts.

Troubled by their difficulties trying to talk to Facebook about its users' private data, user consent and high risk data retention practices, Packet Storm wrote in its Friday post, Facebook: Where Your Friends Are Your Worst Enemies:

When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded.

However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people.

In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.

(...) Our first question asked that, in the name of common decency and privacy, would Facebook ever commit to automatically discarding information of individuals that do not have a known Facebook account?

Their response was essentially that they think of [all] contacts imported by a [single] user as the user's data and they [Facebook] are allowed to do with it what they want.

Disturbingly, Facebook declined to answer many of Packet Storm's crucial questions, and at one point Facebook actually told Packet Storm that Facebook stood on First Amendment rights with this data collection policy.

The policy being that in this area, your data is not yours; it belongs to your friends, and by its rules your friends — or merely people you know — have more control over your data than you do.

Facebook's DYI history feature rolled out October 2010 to more than 500 million Facebook users over the span of a number of months. Lawyers wrote about using DYI as a discovery tool for court cases, for both clients and adversaries.

A month after Facebook's DYI history download tool was rolled out to 500 million users, November 2011, the U.S. Federal Trade Commission (FTC) settled its complaint with Facebook regarding changes the site made in 2009 in regard to user privacy that the Federal government called “unfair and deceptive.”

According to the 2011 agreement, Facebook: “shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information.”

In addition, Facebook was ordered "to notify users and obtain their consent before sharing any information" that “materially exceeds the restrictions imposed by a user’s privacy setting.”

This meant that Facebook would need users to consent before it shares their data in a way that is different from how users initially agreed.

Unfortunately, it didn't say anything about data or information Facebook obtains from a user's friends, retained and shadow-profiled under the banner of "making better friend recommendations."

In December 2011, Max Schrems of Vienna, Austria, went a step further than downloading his own information and sent a formal request to Facebook citing European law and asked for his data. He received a CD with 1,222 files.

The unsettling detail of his Facebook dossier included items he'd deleted: likes, unlikes, and a plethora of information on his friends' activities and even their whereabouts at any given time.

As of June 2013, there are 1.11 billion Facebook users, with 665 million active daily. Its 2012 revenue was $5.09 billion. The number of people who utilized the Download Your Information tool in 2012 is unknown; when reached for comment on frequency of use, Facebook told ZDNet the DYI numbers are not made available publicly.

We will likely never know how many people obtained Facebook's shadow profile data on others. 

In their most recent post, Packet Storm cautioned that beyond the egregious privacy violations in Facebook's claims to ownership of data on users not obtained with their consent, or the dossiers being built on people who aren't on Facebook:

We may never know the true numbers surrounding the disclosure but the liability of housing this additional data appears obvious.

Governments aside, history shows that Facebook has been successfully targeted by Chinese hackers and known malicious hackers.

Editorial standards