The feature in question was designed to enable users to enter a Facebook user’s phone numbers or email addresses into the social network’s Search tool to find friends. But new revelations from Facebook indicate the feature was also used by malicious actors to scrape the data of millions of Facebook users. The company has since disabled the feature, said Zuckerberg on Wednesday, speaking at a press conference about the company’s data privacy policies.
“Many Facebook users are naturally upset about this situation, but in the end, the moral of the story here is that people need to be more considerate about what data they are sharing and with whom,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team. “This is one of those situations that should be an eye opener to people on the importance of reading before clicking ‘OK.’”
The opt-in feature left a gaping security hole for cybercriminals to collect limited PII data on Facebook users that could later be used in targeted attacks. According to Zuckerberg, the company is aware of a many malicious instances when the tool has been collected by one or more third parties. “We’ve seen some scraping… I would assume if you had that setting turned on that someone, at some point, has access to your public information in some way,” he said.
CTO Mike Schroepfer also outlined this issue in a recent blog post, saying: “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”
“So we have now disabled this feature,” Schroepfer said in the post. “We’re also making changes to account recovery to reduce the risk of scraping as well.”
Koby Kilimnik, security researcher at Imperva, said that there are mitigations that can be offered against scrapers, “but the end user shouldn’t assume such solutions are in use when they post to any selected site they are registered to.”
“Even if your data isn’t fully public on Facebook and other social media, your friends and connections can make it public if they so choose to by simply copying it to the public domain,” he said. “That doesn’t mean that we can’t share, but we should understand the ramifications of the act in full and inform others so they would be able to decide on their own what they want to do with their private data.”
Facebook has been under public scrutiny since March, when it was discovered that a third-party application had handed over the data of millions of platform users to Cambridge Analytica – a consulting group that has worked on several high-profile political campaigns, including that of President Donald Trump’s – since 2015. According to Facebook, up to 87 million people may have had their data improperly shared with Cambridge Analytica.
Gennie Gebhart, researcher at the Electronic Frontier Foundation, told Threatpost that the privacy concerns will continue as long as data is accessible on Facebook by third parties.
“It’s important to not lose sight of the fact that the problem here isn’t bad actors, and it isn’t third parties — the real problem is that Facebook is collecting, storing, and building very efficient infrastructure to allow others to find an unprecedented amount of user data. Until that changes, the privacy concerns… are not going to go away,” she said.
Zuckerberg, for his part, on Wednesday’s call reiterated that Facebook was prioritizing privacy and protecting users’ information.
“It’s not enough to just connect people… It’s not enough just to give people a voice, we have to make sure that people are not using that voice to hurt people or spread misinformation. And it’s not enough to give people tools to sign into apps, we have to make sure that all those developers protect people’s information too,” he said.
However, the debacle has left the security industry skeptical of data privacy on Facebook, and social media in general.
“The focus of Facebook’s various announcements seemed to be on protecting people’s data from third-party developers, but the changes don’t go to the point of protecting people from Facebook itself. With one or two high-profile exceptions, Facebook’s statements did not promise to stop collecting user data or stop storing it,” said Gebhart.