A flaw in the way Facebook lets people upload contacts and download their information has been left open for months, leaking information including contact details for six million people.
Labelled a “good old-fashioned data-mismanagement leak”, the flaw over-shared information when users downloaded their data. Along with the user’s own data, Facebook served up contact information about friends of friends, and other contacts in other users’ networks. That included contact data for people who were not on Facebook at all.
“As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”
Approximately six million Facebook users’ email addresses or telephone numbers were shared, Facebook said, along with contact details that “were not connected to any Facebook users or even names of individuals”.
It attempted to assuage any user ire by noting “each individual email address or telephone number was only included in a download once or twice” and no other personal data was exposed. Furthermore, there were no reports that the information had been abused by people who received it.
However, Packet Storm, which shares threat information and has been looking into the bug, said it found uploading just one public email address for a single user could “reap a dozen additional pieces of contact information”.
“Concerns still remain about the fact that dossiers are being built on everyone possible,” a post on the Packet Storm website said.
“The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening.”
The company approached Facebook, asking if it would ever commit to automatically discarding data of individuals who do not have a known Facebook account. Facebook said no, as contacts amount to user data submitted to the company, and it is “allowed to do with it what [it] wants”, according to Packet Storm.
It also asked Facebook if it would delete data uploaded about users via third parties, including friends, if it’s not in line with their privacy settings. “We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation,” the company added.
Like Facebook? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…