Privacy is, we are told, a big part of Facebook's mission. That might be a surprise to those of us who have been subject to seeing their friends and family sharing their bathroom breaks, but there it is. It is a shame for the social media giant, then, that the site could be tricked into giving up personal phone numbers to advertisers until just a few weeks ago.
Facebook paid a bug bounty to researchers from the USA, France and Germany who found the problem at the end of May, and fixed it on the 22nd December. That means that phone numbers could be accessed for at least seven months, although Facebook says that there's no evidence that that happened.
According to the team, Facebook's self-service advertising targeting tools could be exploited to reveal a user's phone number from their email address. The same flaw meant that advertisers could collect phone numbers for users who had visited a particular webpage.
The researchers examined a tool called Custom Audiences, which advertisers can use to upload lists of anonymised customer data and then target adverts to users that Facebook can find using that information.
Facebook tells advertisers how many users will see an ad targeted to such a list, and reports how much the lists overlap if multiple ones are created. The feedback on audience size and overlap could, until it was changed, be manipulated to reveal data about users.
The ‘attack' was not fast, taking several days to upload the targeting lists alone. However, the researchers argued that it could have helped to enable further exploits such as phone porting.
As of late December, Facebook has fixed the bug by changing its ad targeting tools to no longer show audience sizes when customer data is used to make a new targeting list.
Remember that it isn't difficult to become an advertiser on Facebook; a few clicks and a budget as low as $1 a day is enough. For that price, anyone could have set themselves up and made use of this bug.
"There have been data brokers for years, but typically to get access to that data you had to sign a contract with them," Alan Mislove, a professor at Northeastern who worked on the project, told Wired. "Facebook and Google are de facto data brokers—they don't sell data but they are making that data available in indirect ways to a wide range of people."
Facebook's data-use policy makes it clear that your personal information should not be accessible to third parties. It states: ‘We do not share information that personally identifies you … with advertising, measurement or analytics partners unless you give us permission.' Ensuring that its users can put trust in the platform is key, but that makes software flaws like this even more damaging.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment