Facebook appears to have yet another security vulnerability to deal with, one which they apparently ignored and did not deem important enough to begin with. A report on the matter by Ars Technica highlights the findings of a security researcher, who spent less than Rs 1,000 to buy 200 fake Facebook accounts, and use their cookies to feed into an automated tool that is called Facebook Email Search. According to the researcher’s findings, the tool could link users’ email addresses to their accounts even when they specified Facebook to not share their IDs with anyone else. Furthermore, the Facebook Email Search v1.0 tool could apparently churn out searches of up to 5 million user accounts each day – hence suggesting the presence of such bulk data mining tools that exploit Facebook vulnerabilities regularly.
‘Not important enough’
Alongside the numbers and the volume of users that could be potentially affected, Facebook Email Search v1.0 also brought out the side of Facebook that the company has really been trying to convince people is not true. According to the researcher that spoke to Ars for this report, upon disclosing his findings to Facebook through their bug bounty programme, a company representative seemingly informed him that the vulnerability shown in the Facebook Email Search v1.0 exploit technique was “not important enough” to be patched, and therefore, no action would be taken about it.
Furthermore, the vulnerability is apparently the same one that was also exploited before in a data mining hack that saw a personal data dump of almost 500 million Facebook users on the dark web. Facebook had claimed back then that the vulnerability had been patched, but clearly, not enough grounds were covered for it. Ars reports that a leaked internal email had also revealed a Facebook PR strategy where their communications executives were urged to frame such data breaches and vulnerabilities as “broad industry issues”, and gradually establish the narrative that such incidents occur regularly. Such a mindset shows an alarmingly nonchalant attitude towards the private data of users that Facebook harnesses in its servers.
Reluctance against privacy
In correspondence with Dan Goodin of Ars, a Facebook spokesperson claims that their company closed this vulnerability’s bug bounty report “erroneously, before routing to the appropriate team.” The spokesperson has further confirmed that the company is taking “initial actions” to fix what’s been reported, and claimed that Facebook engineers had previously disabled the data mining technique that has been reported here, and therefore believed that the flaw has been covered.
Facebook has, time and again, seen internal information being leaked that revealed the company’s general reluctance towards really focusing on user data privacy and security. While chief executive Mark Zuckerberg has claimed on multiple occasions to have really shored up Facebook’s privacy and security credentials, a regular influx of concerns refuse to go away. The Facebook Email Search v1.0 is only one of the many tools out in the open that can exploit such flaws, and that’s not even the tip of the iceberg.
Numerous privacy experts have also raised multiple questions regarding Facebook’s data storage and sharing framework, and the privacy safeguarding regulations that the company has in its policy. However, such things have still not prevented user data from being exploited repeatedly, and as a result, it won’t be surprising to see yet another million-account database from Facebook being leaked. Such hacks are also used to collate data for passive identity thefts, which makes Facebook’s general denial of its security issues even more alarming.