Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Facebook ‘knew about phone number data leak vulnerability two years before issue was fixed’, claims security researcher

As Facebook defends its actions over a massive data leak, one researcher says he notified the company of the issue a full two years before the problem was fixed.

Last week, Business Insider revealed that the personal data of more than 500 million Facebook users had been posted in a low-level hacking forum where phone numbers were being offered for sale.

Facebook has defended itself in a lengthy blog post, pointing out that the data was obtained by scraping, rather than hacking.

“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” wrote product management director Mike Clark.

“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer.

“In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.”

In the public eye

Ethical hacker Inti De Ceukelaire says he reported the vulnerability to Facebook back in January 2017, after using the technique to discover the private phone numbers of several Belgian celebrities and politicians.

Facebook had said that the issue wasn’t a breach of privacy as the users concerned had set the ‘Who can look me up’ setting to ‘Public’. This, the company said, meant that no user information was exposed that wasn’t already public.

However, as De Ceukelaire points out, ‘Public’ was the default setting – and even when the phone number was set to ‘only me’, it was overridden to revert to ‘Public’.

“I respectfully disagreed with the company’s response back then. It seemed like a business decision. However, I had trouble with the fact that many people were not aware that even though their phone number was set to private, they could still be looked up by their phone number by default,” De Ceukalaire told The Daily Swig.

“There was not even an option to set the ‘Who can look me up’ feature to private in 2017 – they only added that later.”

‘Establishing the full facts’

Facebook may or may not be off the hook as far as GDPR is concerned, with the Irish Data Protection Commission, which oversees the Dublin-headquartered company, saying it is looking into the matter.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” it said in a statement.

“The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period. The DPC attempted over the weekend to establish the full facts and is continuing to do so.”

Advertisement. Scroll to continue reading.

De Ceukelaire suggests that Facebook is attempting to fudge the issue.

“It seems like most of their effort now goes into downplaying the breach, moving the discussion to terminology instead of the real issue and making sure they don’t issue an apology of any kind as it can be seen as an acknowledgement of responsibility for regulators,” he says.

The Daily Swig has reached out to Facebook for comment and will update this story accordingly.

Source: https://portswigger.net/daily-swig/facebook-knew-about-phone-number-data-leak-vulnerability-two-years-before-issue-was-fixed-claims-security-researcher

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cyberattack that ultimately led to the breach of several U.S. officials’ email accounts was the result of a China-based threat actor accessing a...

Cyber Security

The well-known watch manufacturing company Seiko disclosed the data breach notification recently on Aug 2023, targeted by the notorious threat group BlackCat/ALPHV. BlackCat/ALPHV Group has been...

Cyber Security

Privileged users typically hold crucial positions within organizations. They usually have elevated access, authority, and permission levels in the organization’s IT systems, networks, applications,...

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO