Facebook has announced that a system bug may have revealed users’ personal phone numbers to advertisers.
WIRED reports that a bug in Facebook’s ad-targeting tools allowed advertisers to gain Facebook users’ phone numbers from their email address and even allowed gave advertisers access to the phone numbers of users that visited a particular web page. The issue was reported by a group of researchers from the U.S., France, and Germany at the end of May. Facebook paid out a “bug bounty” of $5000 to the researchers at the time and implemented a fix for the bug on December 22.
The bug represents a huge breach of Facebook’s data-use policy which specifically states, “We do not share information that personally identifies you … with advertising, measurement or analytics partners unless you give us permission.” Facebook has stated that to their knowledge, no one has used the exploit to gain access to user data due to the level of skill required to trigger the bug, but according to Neil Gong, a professor at Iowa State who works on social-network privacy, this issue represents a larger problem with Facebook’s business model.
Bugs and exploits on large websites aren’t uncommon by any means, but the issue with Facebook arises in that a bug on their website could reveal the personal information of millions of social media users. The advertising exploit is a particularly worrying issue as anyone can sign up to place ads on Facebook, which means that anyone could potentially gain access to Facebook’s user data. Alan Mislove, a professor at Northeastern and researcher on the team that discovered the advertising exploit stated, “There have been data brokers for years but typically to get access to that data you had to sign a contract with them. Facebook and Google are de facto data brokers — they don’t sell data but they are making that data available in indirect ways to a wide range of people.”
The group that discovered the Facebook advertising bug consisted of researchers from the French research institutions EURECOM and the University of Grenoble Alpes, and the Max Planck Institute for Software Systems based in Germany. The researchers plan to present their findings on the bug at a security conference in May. Facebook’s vice president for ads, Rob Goldman, commented on the researchers work saying, “We’re grateful to the researcher who brought this to our attention through our bug bounty program. While we haven’t seen any abuse of this complex technique, we’ve made product changes to prevent this from occurring.” Facebook says its bug-bounty program has paid out nearly $1 million in the past year, in payments starting at $500.”
Krishna Gummadi, a researcher at Max Planck Institute of Software Systems and one of the researchers that discovered the bug commented on Facebook’s fix to the exploit saying, “If I had to bet on it I would think there are other bugs in there,” he says. “Facebook has data on a lot of people and is making this data accessible to advertisers through some very feature rich interfaces.”