accept no compromises
Facebook: Math of the Aftermath
Posted Jun 26, 2013
Source Packet Storm

Last week Facebook attempted to address a security and privacy flaw we helped report to them in conjunction with Michael Fury, the discoverer of the problem. Facebook's response was to email 6 million users, alerting them to an unexpected disclosure of their information and a brief explanation of the "bug" that caused it. As we had prior test data that verified the leak, we were in a position to compare what we knew was being leaked with what Facebook was reporting to their users.



Something Doesn't Add Up

Packet Storm gave Facebook the bad news on Friday after the initial story broke. We compared Facebook email notification data to our test case data. In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure. They spent the weekend analyzing our information and we spent Monday and Tuesday sending questions back and forth.

Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used it's own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the "bug" when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.

Facebook's Public Acknowledgement

The following is an example email sent out to 6 million users on Friday:

Hi [[Affected User]],

Your privacy is incredibly important to everyone who works at Facebook, and we're dedicated to protecting your information. While many of us focus our full-time jobs on preventing or fixing issues before they affect anyone, we recently fell short of our goal and a technical bug caused your telephone number or email address to be accessible by another person.

The bug was limited in scope and likely only allowed someone you already know outside of Facebook to see your email address or telephone number. That said, we let you down and we are taking this error very seriously.

Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. Because of the bug, the email addresses and phone numbers used to make friend recommendations and reduce the number of invitations we send were inadvertently stored in their account on Facebook, along with their uploaded contacts. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, which included their uploaded contacts, they may have been provided with additional email addresses or telephone numbers.

Here is your contact Information (inadvertently accessible by at most 1 Facebook user):

d****d@p********.com

We estimate that 1 Facebook user saw this additional contact info displayed next to your name in their downloaded copy of their account information. No other info about you was shown and it's likely that anyone who saw this is not a stranger to you, even if you're not friends on Facebook.


The statement that "No other info about you was shown" seems to be a red herring. The following is an illustration demonstrating how extra data was tied to a user, then leaked, but not reported upon.

Thought Experiment

1. Dan has an account with Facebook and has registered with dan@freemail.xy and he does not have a phone number added to Facebook. He does not want a phone number added to Facebook.

2. Alice, a friend of Dan's, uploads her contact address book information to Facebook. She may have done this via Google, her phone, or any other number of sources available. In it there is an entry for Dan with phone number 408-555-1212 and email addresses dan@freemail.xy and dan@datingsite.xy

3. Eve, who is not a friend of Dan, pulls Dan's dan@freemail.xy email address off of his blog and uploads it to her Facebook account as a contact. She then downloads her expanded dataset from Facebook. Inside the expanded dataset is a file called addressbook.html which is supposed to only hold the contact information she uploaded. When the "bug" existed, Eve would have additionally received an entry for Dan with phone number 408-555-1212 along with email addresses dan@freemail.xy and dan@datingsite.xy, which Dan never wanted her to have.



To get to the crux of the reporting failure, we need to continute further with the experiment. We will move forward with the understanding that Eve is now armed with more of Dan's information.

4. Frank, who works for "the company" with Dan, uploads his contact information to Facebook. In it there is an entry for Dan with phone numbers 408-555-1212 and 312-555-2323 and email addresses dan@dans-secret-government-job.gov.xy and deaddrop@secretmail.xy

5. Eve uploads a contact file to Facebook with Dan's 408-555-1212 phone number she recently scored in her last extraction. She then downloads her expanded dataset and it is revealed that Dan also has email addresses dan@dans-secret-government-job.gov.xy and deaddrop@secretmail.xy and phone number 312-555-2323, along with his dan@datingsite.xy and dan@freemail.xy email addresses. She checks 312-555-2323 on whitepages.com and finds out Dan's home address.

6. After fixing the "bug", Facebook emails Dan and only tells him the following information was disclosed: 408-555-1212, dan@freemail.xy, dan@datingsite.xy



The outcome of this thought experiment points out that Dan would not have been contacted by Facebook about the additional disclosure regarding the 312-555-2323 phone number or his dan@dans-secret-government-job.gov.xy and deaddrop@secretmail.xy email addresses. This would explain the situation where we uploaded a phone number for one person and received 7 pieces of data on them yet Facebook only told them about 3 pieces of data being disclosed. What we believe Facebook should have done was emulate the DYI process and enumerate through their data to see what else was being disclosed indirectly, and after a first pass, enumerate again with the new data to develop a more comprehensive data set similar to what we found while testing. As the notifications to the user masked the information, any erroneous information would not have caused any extra data leak. We asked Facebook if they enumerated the information in hopes that their reporting had a bug but we were told that they only notified users if the leaked information mapped to their name.

We asked Facebook what this means for non-Facebook-users who had their information also disclosed. The answer was simple - they were not contacted and the information was not reported. Facebook felt that if they attempted to contact non-users, it would lead to more information disclosure. Given that they already masked the disclosed information in the email, we feel this is a weak, circular argument. If masking is good enough for their users, why isn't it for non-users?

We recognize there may be unintended consequences but remaining silent is antithetical to Facebook's own aspirational goal in winning consumers' trust. See something? Say something!

We asked Facebook if they would produce an aggregate number of all data compromised by the entire incident and they declined comment. Many people commenting on the Facebook Security blog have asked to be told who viewed their information. We asked the same question and Facebook declined comment.

We may never know the true numbers surrounding the disclosure but the liability of housing this additional data appears obvious. Governments aside, history shows that Facebook has been successfully targeted by Chinese hackers and known malicious hackers.

A Simple Solution

Anyone can complain about an issue. Eldridge Cleaver once said "There is no more neutrality in the world. You either have to be part of the solution, or you're going to be part of the problem". We have devised and offered a solution to Facebook. We hope that all social networking sites adopt this behavior when tackling this particular user data problem. We asked Facebook if they would consider implementing this flow but they have declined comment.

1. When a person uploads someone's contact information, Facebook should automatically correlate it to what they have shared on their profile (and obviously only suggest them as a friend if their settings allow it). If their settings do not allow it, they should treat it as a user not in Facebook (see #2). If the information uploaded includes data specific to an individual who does not already have that data included in their profile, Facebook should provide a notification along the lines of:

"You are attempting to add data about John Smith that he has not shared with Facebook. How do you want to handle this situation?"

Two options are provided:

A) "Ask John Smith's permission to add this information"

B) "Discard additional information"

If they choose option A, John Smith is notified by Facebook the next time he logs in and gets to decide what he wants to do with HIS data. Seems simple enough.

2. When a person uploads someone's contact information and it does not correlate to any Facebook user, they should be able to use it for the Invitation feature with the caveat that Facebook automatically deletes all data within 1 week. The invite to the person can say "this link will expire in 1 week", which it should anyways. When an individual uses the invitation link to sign up, THEY will decide what information to share with Facebook.



Stage 5: Acceptance

Facebook is very proud that they are the largest social networking site in the world, housing profiles on over a billion individuals. We hope that Facebook recognizes their unique responsibility to prevent these sorts of flaws from leading to dire consequences. As a billion users upload their contacts, their associates on and off of Facebook will all become stored and correlated. At this point, Facebook may have email addresses and phone numbers on everyone, Facebook user or not.

tags | headline, privacy, data loss, facebook, social

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Top Authors In Last 30 Days

News Tags

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close