Profile names, more email addresses and phone numbers 500 million Facebook users have circulated publicly online for almost a week. It took Facebook days to finally acknowledge root cause, an issue the company says it fixed in 2019. But now researchers say Facebook had known about similar vulnerabilities years ago, and could have made a much bigger effort to prevent the scratching mass in the first place.
The problem is Facebook’s “content importer,” a feature that combs a user’s address book to find people they know who also use Facebook. Many social networks and communication apps offer a version of it as a kind of social lubricant. But Facebook’s Contact Importer tool in particular has encountered a number of known issues and supposed fixes over the years.
“I’m sure other companies are also sweating now. It’s not just Facebook, ”says Inti De Ceukelaire, a Belgian security researcher who reported a vulnerability in Facebook’s contact import feature to the company in 2017.“ But it’s a recurring theme for Facebook that whenever growth is at stake, they will think twice. fix something that benefits the user’s privacy. “
De Ceukelaire and other researchers had previously alerted Facebook to similar problems. In 2012, Facebook made changes that resulted in the disclosure of phone numbers and email addresses that users themselves had not provided through the import contacts feature. A researcher disclosed the problem to Facebook in 2013; In 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland investigated the findings.
“Our office believes that FB did not have appropriate safeguards in place prior to the breach to protect the personal information of users and non-users,” the investigation revealed.
This incident differs from the more recent controversy on Facebook, in which attackers were able to ‘scratch’ Facebook by listing batches of possible phone numbers from over 100 countries, submitting them to the Contact Importer, and submitting them to the Contact Importer. manipulating it to return names, Facebook IDs and other data users had posted on their profiles. Still, that loophole spoke to the potential of the Contact Importer tool to access sensitive data and the need to carefully look for bugs and unintended behaviors in the feature.
De Ceukelaire’s research in 2017 is much more directly related to the methods used by attackers to extract the recent and massive dataset. “I discovered that it was relatively easy to reveal private phone numbers on Facebook, discovering certain phone numbers of Belgian celebrities and politicians,” De Ceukelaire wrote in February 2017. “Even if this trick seems to work only in small countries like Belgium (+/- 11.2 million people), a significant number of people are affected by this simple but effective privacy breach.”
De Ceukelaire had found a manual and somewhat limited, but still effective way to list phone numbers and extract their corresponding user information from Facebook through the import contacts feature. He submitted the results to Facebook’s bug bounty program, but in communications reviewed by WIRED, the company said the issue was ineligible for payment.
The researcher had, however, raised two crucial points. First, attackers may well be looking for more powerful and efficient ways to abuse the contact import feature through phone number enumeration attacks. Facebook told De Ceukelaire at the time that it could revise its rate limits – the maximum number of submissions one can make – for the contact import feature, but that it does not consider the problem. like a vulnerability. De Ceukelaire further reported that users might not understand that the privacy controls they set for their Facebook profile information could be undermined by another Facebook privacy setting called “Who can search me.”
Facebook allows you to set your phone number and email address as visible to “Me only”. But it also has an entirely separate setting, called ‘Who can search me’, which determines whether someone can find you on Facebook using your phone number or email address through the import tool. contacts. Even if your phone number is set to “Me only” in your profile, it can still be set to “Anyone” under “Who can search for me”. In that case, if someone guessed your phone number, they could link it to your other public Facebook information.