mailing list archives
Facebook 'bug' worse than reported; non-users also affected
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Thu, 27 Jun 2013 10:46:57 -0500
The security researchers who found Facebook's shadow profiles
vulnerability have compared their numbers to what Facebook told its
users in emails, and the numbers don't match.
They say Facebook told users the data exposure is much less than what
the researchers found, and the researchers also say Facebook is
hoarding non-user contact information — seen when it was also shared
and exposed in the leak.
Friday Facebook announced the fix of a bug it said inadvertently
exposed the private information of over six million users when
Facebook's previously unknown shadow profiles accidentally merged with
user accounts in data history record requests.
Since at least 2012, Facebook users who used the Download Your
Information (DYI) tool to get their data history record also got an
address book with contacts users had never provided to Facebook.
Facebook explained the issue to ZDNet Sunday after user anger exploded
— saying that when a Facebook user uploads an address book, the social
network obtains all contacts in the user's database and saves all of
Users are still furious and were unaware that their not-for-sharing,
offsite phone numbers and email addresses are being collected, stored,
secretly matched to them (and now accidentally shared) by Facebook.
In its Friday email, Facebook disclosed the security and privacy flaw
to users, but no one knew that Facebook's email wasn't telling the
whole story — except security researcher Michael Fury (who originally
found the vulnerability) and colleagues at Packet Storm Security (and
anyone quietly exploiting the data breach).
Because Packet Storm had prior test data verifying the leak, they were
able to compare what they knew was actually being revealed in the DYI
reports against what Facebook reported to its users via email — as
well as what Facebook told the press.
Packet Storm wrote in Facebook: Math of the Aftermath,
We compared Facebook email notification data to our test case data. In
one case, they stated 1 [one] additional email address was disclosed,
though 4 pieces of data were actually disclosed.
For another individual, they only told him about 3 out of 7 pieces of
data were disclosed.
It does not appear that they will take any extra steps at this point
to explain the real magnitude of the exposure and we suspect the
numbers are much higher.
The statement that "No other info about you was shown" seems to be a
red herring. We asked Facebook what this means for non-Facebook-users
who had their information also disclosed.
The answer was simple — they were not contacted and the information
was not reported. As a billion users upload their contacts, their
associates on and off of Facebook will all become stored and
At this point, Facebook may have email addresses and phone numbers on
everyone, Facebook user or not.
When reached for comment about Packet Storm Security's "Math of the
Aftermath" post, Facebook declined to comment saying that all it had
to say on the matter was in its Friday blog post - a repeat of the
information Packet Storm is contradicting.
The social network said that it obtains and matches the
offsite-sourced data to user profiles — creating shadow profiles — "to
better create friend suggestions" for the user.
This appears to be the first time Facebook has publicly admitted that
users' shadow profiles contain more than native data (such as posts or
information you deleted but are retained by Facebook) and also contain
data that Facebook is harvesting from other users.
After last week's experience, Packet Storm believes that Facebook is
compiling "frightening" shadow profile "dossiers on everyone possible"
— including people without Facebook accounts.
Troubled by their difficulties trying to talk to Facebook about its
users' private data, user consent and high risk data retention
practices, Packet Storm wrote in its Friday post, Facebook: Where Your
Friends Are Your Worst Enemies:
When you open the downloaded archive, there is a file inside called
addressbook.html. This file is supposed to house the contact
information you uploaded.
However, due to a flaw in how Facebook implemented this, it also
housed contact information from other uploads other users have
performed for the same person, provided you had one piece of matching
data, effectively building large dossiers on people.
In our testing, we found that uploading one public email address for
an individual could reap a dozen additional pieces of contact
information. It should also be noted that the collection of this
information goes for all of the data uploaded, regardless of whether
or not your contacts are Facebook users.
(...) Our first question asked that, in the name of common decency and
privacy, would Facebook ever commit to automatically discarding
information of individuals that do not have a known Facebook account?
Their response was essentially that they think of [all] contacts
imported by a [single] user as the user's data and they [Facebook] are
allowed to do with it what they want.
Disturbingly, Facebook declined to answer many of Packet Storm's
crucial questions, and at one point Facebook actually told Packet
Storm that Facebook stood on First Amendment rights with this data
The policy being that in this area, your data is not yours; it belongs
to your friends, and by its rules your friends — or merely people you
know — have more control over your data than you do.
Facebook's DYI history feature rolled out October 2010 to more than
500 million Facebook users over the span of a number of months.
Lawyers wrote about using DYI as a discovery tool for court cases, for
both clients and adversaries.
A month after Facebook's DYI history download tool was rolled out to
500 million users, November 2011, the U.S. Federal Trade Commission
(FTC) settled its complaint with Facebook regarding changes the site
made in 2009 in regard to user privacy that the Federal government
called “unfair and deceptive.”
According to the 2011 agreement, Facebook: “shall not misrepresent in
any manner, expressly or by implication, the extent to which it
maintains the privacy or security of covered information.”
In addition, Facebook was ordered "to notify users and obtain their
consent before sharing any information" that “materially exceeds the
restrictions imposed by a user’s privacy setting.”
This meant that Facebook would need users to consent before it shares
their data in a way that is different from how users initially agreed.
Unfortunately, it didn't say anything about data or information
Facebook obtains from a user's friends, retained and shadow-profiled
under the banner of "making better friend recommendations."
In December 2011, Max Schrems of Vienna, Austria, went a step further
than downloading his own information and sent a formal request to
Facebook citing European law and asked for his data. He received a CD
with 1,222 files.
The unsettling detail of his Facebook dossier included items he'd
deleted: likes, unlikes, and a plethora of information on his friends'
activities and even their whereabouts at any given time.
As of June 2013, there are 1.11 billion Facebook users, with 665
million active daily. Its 2012 revenue was $5.09 billion. The number
of people who utilized the Download Your Information tool in 2012 is
unknown; when reached for comment on frequency of use, Facebook told
ZDNet the DYI numbers are not made available publicly.
We will likely never know how many people obtained Facebook's shadow
profile data on others.
In their most recent post, Packet Storm cautioned that beyond the
egregious privacy violations in Facebook's claims to ownership of data
on users not obtained with their consent, or the dossiers being built
on people who aren't on Facebook:
We may never know the true numbers surrounding the disclosure but the
liability of housing this additional data appears obvious.
Governments aside, history shows that Facebook has been successfully
targeted by Chinese hackers and known malicious hackers.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
- Facebook 'bug' worse than reported; non-users also affected Erica Absetz (Jun 27)