A flaw in the way Facebook lets people upload contacts and download their information has been left open for months, leaking information including contact details for six million people.

Labelled a “good old-fashioned data-mismanagement leak”, the flaw over-shared information when users downloaded their data. Along with the user’s own data, Facebook served up contact information about friends of friends, and other contacts in other users’ networks. That included contact data for people who were not on Facebook at all.

Facebook vulnerability

“Some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook,” a blog post from the social network’s security team read.

“As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”

Approximately six million Facebook users’ email addresses or telephone numbers were shared, Facebook said, along with contact details that “were not connected to any Facebook users or even names of individuals”.

It attempted to assuage any user ire by noting “each individual email address or telephone number was only included in a download once or twice” and no other personal data was exposed. Furthermore, there were no reports that the information had been abused by people who received it.

However, Packet Storm, which shares threat information and has been looking into the bug, said it found uploading just one public email address for a single user could “reap a dozen additional pieces of contact information”.

“Concerns still remain about the fact that dossiers are being built on everyone possible,” a post on the Packet Storm website said.

“The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening.”

The company approached Facebook, asking if it would ever commit to automatically discarding data of individuals who do not have a known Facebook account. Facebook said no, as contacts amount to user data submitted to the company, and it is “allowed to do with it what [it] wants”, according to Packet Storm.

It also asked Facebook if it would delete data uploaded about users via third parties, including friends, if it’s not in line with their privacy settings. “We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation,” the company added.

Like Facebook? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

OpenAI In Talks With California Over For-Profit Shift

OpenAI reportedly begins early talks with California attorney general over complex transition from nonprofit to…

2 hours ago

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

2 hours ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

3 hours ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

3 hours ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

4 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

4 hours ago