It’s been a bad week for Facebook and its two billion-plus users.
Firstly it was discovered by computer scientists at Northeastern University that Facebook was allowing advertisers to target advertising at individuals by exploiting phone numbers only given by the users for the purposes of two-factor authentication (2FA).
In short, even if you had set your Facebook privacy controls to their most restrictive settings – advertisers could still target you because you had (quite sensibly) enabled two-factor authentication to protect your account from hackers.
Similarly, according to the research, it seems there are pitfalls if users provide their phone number to receive alerts about unrecognised logins on their Facebook account:
“Facebook allows users to add email addresses or phone numbers to receive alerts about logins from unrecognized devices. We added a phone number and an email address to an author’s account to receive login alerts, and found that both the email address and phone number became targetable after 17 days.”
It’s one thing to use information that users choose to include in their Facebook profile for targeted advertising. It’s quite another to take advantage of information that was only shared with the site to boost security.
Remember, unrecognised login alerts and 2FA are features that users should be actively encouraged to enable, to better protect their Facebook accounts. When Facebook is revealed to be helping advertisers exploit such private, personal information, it only encourages users not to enable these protections in the first place.
And that’s not all… The researchers confirmed that Facebook was using “shadow contact information”, collected from other Facebook users’ address books, and associating them with your account. Facebook hides the fact that it has connected, for instance, alternative email addresses and phone numbers to your profile but uses it to assist targeted advertising.
As Kashmir Hill of Gizmodo explains:
…if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.
All of this amounts to what the EFF describes as “deceptive and invasive” practices by Facebook, which ignore “reasonable security and privacy expectations”.
Such behaviour by Facebook inevitably erodes users’ trust in the service.
And then the world found out about the security breach.
On Friday 28th September, Facebook went public with details of a “security issue” that it had discovered earlier in the week.
Approximately 50 million accounts were left exposed to attackers who were able to exploit a vulnerability in the site’s “View As” feature (actually a combination of three bugs). This security hole allowed hackers to steal users’ access tokens:
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The bad news is that these Facebook access tokens could not only be used to access Facebook accounts, but also other third-party apps that use Facebook for login.
According to Facebook, the vulnerability in its code was introduced in July 2017, and on September 16th 2018 it saw a massive spike in traffic on its servers as hackers exploited the flaw and harvested access tokens for other users’ accounts. It took until September 25th for Facebook to determine that there had been a security breach.
Facebook says it has temporarily disabled its “View As” feature until it has completed a “thorough security review”.
You can learn more about both of these issues in this edition of the “Smashing Security” podcast:
Smashing Security #098: 'A Facebook omnishambles'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
High profile victims of the “View As” security breach are reported to include Mark Zuckerberg, as well as Facebook’s chief operating officer, Sheryl Sandberg, and its European vice- president, Nicola Mendelsohn.
What a week. It’s enough to make you reconsider your relationship with Facebook, isn’t it?
I quit Facebook earlier this year. If you’re finding it hard to imagine doing the same, why not listen to this “Smashing Security” podcast we put together describing the process of quitting Facebook:
Smashing Security #075: 'Quitting Facebook'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
If it helps, just consider your Facebook departure as “temporary” while you complete a “thorough security review.” You may find you don’t miss it at all.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
8 comments on “Two reasons to reconsider your Facebook membership”
"According to Facebook, the vulnerability in its code was introduced in July 2017, and on September 16th it saw a massive spike in traffic on its servers as hackers exploited the flaw"
Is this a typo, or did they keep it quiet for more than a year?
No, the feature was introduced July 2017, we don't know just when hackers discovered the bug in the feature, but assume it was recently. Perhaps within days of the spike in traffic.
I'm going to kill my account now, even though I hardly use it, my total data they claim to have on me was only 467kb, which is not much, and I downloaded to review it too. It's nothing compared to what's been revealed now, that they collected without our knowledge. Trust is gone.
I read it that they discovered it in September 2018, but the vulnerability had existed since a code change in July 2017.
So they didn't keep it quiet but have been able to establish how long the issue existed for,
That's correct John.
Facebook introduced the flaw in July 2017.
There was a lot of traffic exploiting the flaw on September 16 2018.
Facebook investigated the traffic spike, and determined that someone had been exploiting the flaw, on 25 September 2018.
On Friday 28 September 2018 – coincidentally (?) while the whole world's media were distracted by the ongoing circus around the Brett Kavanaugh hearings – Facebook went public.
There's nothing to suggest that Facebook knew about the problem before September 2018.
Personally, I would consider Facebook to be a public platform, no matter what security restrictions you enforce on your FB accounts. Someone somewhere is going to read your details eventually. This is probably true of any data you enter onto the web. Ultimately, it will be hacked open and plundered by black-hatters. The web has made the world and all of its transactions transparent. Personally, I don't mind because it's stupid trying to keep secrets nowadays. The web and the ubiquity of surveillance technology mean you're always being watched, investigated and anticipated. The watchers have not changed my life or actions therein. The watchers have no lives of their own!
Mr. Jacobs: You're welcome to believe that "it’s stupid trying to keep secrets nowadays", but your sanguine attitude will change quickly if you become a victim of identity theft.
I can tell you from personal experience that the watchers will change your "life or actions therein" significantly, and you won't like it.
I expect that you'll suddenly acquire a vastly different perspective about what you're now calling "stupid".
The thing that continues to bother me with Facebook and Messenger is that, although I've disabled targeted advertising, I still get adverts targeted to my country and age. Out of the last two adverts, one said I may be seeing it because I'd recently been near their business, which I had but I don't share my location with Facebook, Messenger, WhatsApp or Instagram; the other was MuleSoft and it suggested I was similar to their customers, which I probably am. None of that seems like non-targeted advertising to me.
Facebook aren't alone — Twitter also shows me ads based country and age when I've opted out of targeted ads.
The problem is going to be when they start changing your pages, wait and see its coming. My take no ones opions nor lives are that important it's all self adulation