Facebook leaks are a lot leakier than Facebook is letting on

Facebook leak

Remember last week, when Naked Security et al. told you that Facebook leaked email addresses and phone numbers for 6 million users, but that it was really kind of a modest leak, given that it’s a billion-user service?

OK, scratch the “modest” part.

The researchers who originally found out that Facebook is actually creating secret dossiers for users are now saying the numbers don’t quite match up.

The number of affected users Facebook noted in a posting on its security blog is far less than what they themselves found, and Facebook is also “hoarding non-user contact information – seen when it was also shared and exposed in the leak,” writes ZDNet’s Violet Blue.

The bug involved the exposure of contact details when using the Download Your Information (DYI) tool to access data history records, which resulted in access to an address book with contacts users hadn’t provided to Facebook.

Selecting privacy settings in FacebookWhat that means is that even if you don’t share details of your own personal information with Facebook, Facebook well may have gotten it through other people in your network who’ve let Facebook have access to their contact lists.

Facebook accidentally combined these “shadow” profiles with users’ own Facebook profiles and then blurted both data sets out to people who used the DYI tool and who had some connection to the people whose data was breached.

It’s understandable why Facebook users are steamed.

Facebook has gotten information you didn’t choose to share, has retained it, and has inadvertently left it open for unauthorized access since at least 2012.

Some users, in fact, complained in comments that the bug persisted even after Facebook reportedly fixed it, according to Violet Blue.

Packet storm reported on Wednesday that its researchers, who had prior test data verifying the leak, were able to compare what they knew was being leaked with what Facebook reported to its users.

Packet Storm claims that Facebook didn’t come clean about all the data involved.

From its posting:

"We compared Facebook email notification data to our test case data. In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure...

"Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the 'bug' when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher."

Not only is the extent of exposed data likely to expand, Packet Storm says, but the number of people affected is much higher than 6 million, given that Facebook has only contacted its users.

Here’s how Facebook replied when Packet Storm asked about contacting non-users about the breach:

"We asked Facebook if they enumerated the information in hopes that their reporting had a bug but we were told that they only notified users if the leaked information mapped to their name.

"We asked Facebook what this means for non-Facebook-users who had their information also disclosed. The answer was simple - they were not contacted and the information was not reported. Facebook felt that if they attempted to contact non-users, it would lead to more information disclosure."

That’s a “weak, circular” argument, Packet Storm complains.

To better protect users’ contact and personal information, the researchers suggest that Facebook can simply adopt this suggested flow:

1. When a person uploads someone's contact information, Facebook should automatically correlate it to what they have shared on their profile (and obviously only suggest them as a friend if their settings allow it). If their settings do not allow it, they should treat it as a user not in Facebook (see #2). If the information uploaded includes data specific to an individual who does not already have that data included in their profile, Facebook should provide a notification along the lines of:

"You are attempting to add data about John Smith that he has not shared with Facebook. How do you want to handle this situation?"

Two options are provided:

A) "Ask John Smith's permission to add this information"

B) "Discard additional information"

If they choose option A, John Smith is notified by Facebook the next time he logs in and gets to decide what he wants to do with HIS data. Seems simple enough.

2. When a person uploads someone's contact information and it does not correlate to any Facebook user, they should be able to use it for the Invitation feature with the caveat that Facebook automatically deletes all data within 1 week. The invite to the person can say "this link will expire in 1 week", which it should anyways. When an individual uses the invitation link to sign up, THEY will decide what information to share with Facebook.

That does seem simple enough, but Facebook hadn’t responded to the suggestion at the time of writing.

While we wait for Facebook to (maybe) fix a situation that seems far more widespread than originally reported, we can help each other out by immediately removing our imported contacts, to keep everybody’s personal data out of this swamp.

If you haven’t done so already, you can easily remove uploaded contacts here.