The security firm that disclosed a security hole in a Facebook feature that allows users to download their own data file says the social network giant still has questions to answer about the extent of the data breach.
Writing on their blog, researchers at Packet Storm Security said that Facebook has underestimated the extent of the breach, which affected around six million users of the social networking site and an unknown number of non-Facebook users. Packet Storm says that Facebook’s analysis of the breach failed to account for ways in which it could be exploited, in an iterative fashion, to glean information on Facebook users beyond the individual pieces of data that may have been viewed by users who used the Download Your Information (DYI) feature. The firm also called Facebook to task for failing to notify non-users whose information was exposed in the incident.
On Monday, Security Ledger wrote about the security flaw in the DYI feature, which Facebook fixed after being notified by Facebook. At the heart of the problem is a previously unknown practice of aggregating contact data submitted by Facebook users. Rather than maintain separate instances of each user contact uploaded by its members (i.e. Lisa’s version of Paul’s contact information, Joe’s version of Paul’s contact information, etc.), Facebook collated the information behind the scenes. In the process, the company builds a complete dossier of its users and non-users linked by e-mail address(es), names, telephone numbers, and so on.
The bug that was reported, and fixed, allowed that complete dossier information to spill into copies of an individual’s “extended dataset” – a download-able copy of all your Facebook account data. In testing, the security firm Packet Storm found that “uploading one public email address for an individual could reap a dozen additional pieces of contact information…regardless of whether or not your contacts are Facebook users.”
While expressing regret for the error, Facebook was mum on whether it would modify or discontinue the practice of constructing dossiers of contact information on users and non-users. In an e-mail to The Security Ledger, a company spokesman pointed to a 2011 report by the Office of the Data Protection Commissioner of Ireland (PDF) that indicated the company would delete Ghost Profile data compiled on non-users and would not target those users with advertisements.
Writing on Wednesday, Packet Storm said that Facebook’s estimation of the impact of the leak was too narrow. The company should “emulate the DYI process and enumerate through their data to see what else was being disclosed indirectly, and after a first pass, enumerate again with the new data to develop a more comprehensive data set similar to what we found while testing.” In so doing, Facebook would have found that much more personal data could have potentially been exposed to Facebook users.
The company also took Facebook to task for refusing to notify non-users whose information was disclosed, but said Facebook demurred, arguing that attempts to contact non-users would lead to more information disclosure.
The larger question appears to be whether Facebook will bend their information harvesting to respect user privacy settings: discarding any information on users and non-users that is inadvertently obtained through shared contacts or other means. On that issue, as well as others, Facebook isn’t saying much.