The profile names, email addresses, and phone numbers of over 500 million Facebook users have been circulating publicly online for nearly a week. It took days for Facebook to finally acknowledge the root cause, an issue the company says it fixed in 2019. But now researchers are saying Facebook knew about similar vulnerabilities for years before that, and it could have made a far greater effort to prevent the mass scraping in the first place.
At issue is Facebook's “content importer,” a feature that combs a user's address book to find people they know who also use Facebook. Many social networks and communication apps offer some version of this as a sort of social lubricant. But Facebook's contact import tool in particular has had a number of known problems, and supposed fixes, over the years.
“I'm sure other companies are sweating as well now. It's not just Facebook," says Inti De Ceukelaire, a Belgian security researcher who reported a vulnerability in Facebook's contact import feature to the company in 2017. “But it’s a recurring theme for Facebook that whenever growth is at stake, they will think twice about fixing something to benefit the user’s privacy.”
De Ceukelaire and other researchers had already alerted Facebook to similar issues. In 2012, Facebook made changes that resulted in the site's “Download Your Information” tool leaking phone numbers and email addresses that users had not supplied themselves through the contact import feature. A researcher disclosed the issue to Facebook in 2013; in 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland investigated the finding.
"O ..
Support the originator by clicking the read the rest link below.
