Privacy is, we are told, a big part of Facebook's mission. That might be a surprise to those of us who have been subject to seeing their friends and family sharing their bathroom breaks, but there it is. It is a shame for the social media giant, then, that the site could be tricked into giving up personal phone numbers to advertisers until just a few weeks ago.
Facebook paid a bug bounty to researchers from the USA, France and Germany who found the problem at the end of May, and fixed it on the 22nd December. That means that phone numbers could be accessed for at least seven months, although Facebook says that there's no evidence that that happened.
According to the team, Facebook's self-service advertising targeting tools could be exploited to reveal a user's phone number from their email address. The same flaw meant that advertisers could collect phone numbers for users who had visited a particular webpage.
The researchers examined a tool called Custom Audiences, which advertisers can use to upload lists of anonymised customer data and then target adverts to users that Facebook can find using that information.
Facebook tells advertisers how many users will see an ad targeted to such a list, and reports how much the lists overlap if multiple ones are created. The feedback on audience size and overlap could, until it was changed, be manipulated to reveal data about users.
The ‘attack' was not fast, taking several days to upload the targeting lists alone. However, the researchers argued that it could have helped to enable further exploits such as phone porting.
As of late December, Facebook has fixed the bug by changing its ad targeting tools to no longer show audience sizes when customer data is used to make a new targeting list.
Remember that it isn't difficult to become an advertiser on Facebook; a few clicks and a budget as low as $1 a day is enough. For that price, anyone could have set themselves up and made use of this bug.
"There have been data brokers for years, but typically to get access to that data you had to sign a contract with them," Alan Mislove, a professor at Northeastern who worked on the project, told Wired. "Facebook and Google are de facto data brokers—they don't sell data but they are making that data available in indirect ways to a wide range of people."
Facebook's data-use policy makes it clear that your personal information should not be accessible to third parties. It states: ‘We do not share information that personally identifies you … with advertising, measurement or analytics partners unless you give us permission.' Ensuring that its users can put trust in the platform is key, but that makes software flaws like this even more damaging.
Apple, Samsung, Google and others rush to go ever-higher upmarket is putting off potential customers
Laser tech can charge mobile phones from across a room
AMD's Zen chip roll-out continues with the focus on high-power embedded applications
And becomes the team's executive chairman to boot