Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.
Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.https://twitter.com/Gabriel__Lewis/status/963121814166630400
Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.
From the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.
We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.
Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator with an authenticator app such as Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS).
We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.
The Verge says it confirmed that this is happening with any reply to a Facebook 2FA text message. At least one user said on Twitter that Instagram has also spammed them with notifications to their 2FA phone number.
Lewis says he never opted in to notifications via text messaging to begin with, yet still, he and other sufferers have to put up with text spam.
As of Wednesday, some people were getting pretty steamed, with many insisting that this is clearly not a bug and accusing Facebook’s marketing of running amok:
A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.— Matthew Green (@matthew_d_green) February 14, 2018
Of course, simply insisting that something must be deliberate doesn’t make it so.
We’re trying to get more details out of Facebook and we’ll update the story if we get them.
Update. Facebook’s Chief Security Officer, Alex Stamos, has publicly stated that “this was not an intentional decision; this was a bug“. The reason why replies sent via SMS ended up published as status notifications turned out to be a left-over feature from when people actually used SMSes to interact with Facebook. According to Stamos, “this feature is less useful these days.” No kidding! Apparently, Facebook is “working to deprecate this functionality soon.” Deprecate doesn’t mean the same as discontinue, and soon doesn’t really mean anything – but Facebook has officially used the words “we are sorry” and “this was a bug”, which is a lot better than many companies manage in the aftermath of a breach, vulnerability, bug or outage. [Added by Paul Ducklin @ 2018-02-17T15:30Z.]