Thursday, January 20

a known flaw that could have been fixed for years


For several years, many cybersecurity experts have reported to Facebook the vulnerability of the contact import tool, without the company paying attention. No wonder it results in a data breach of more than 500 million users according to them. But the risks to the platform could be great.

facebook 37 million users france

Credit: Unsplash / Alex Haney

Over 530 million Facebook users recently found themselves with their personal data in the wild and it might never have happened. According to the platform that finally recognized the problem, everything was resolved in 2019. But that’s not the opinion of cybersecurity researchers …

Multiple issues already raised in the past

« I’m sure other companies are also sweating now. It’s not just Facebook“, Explains to Wired Inti De Ceukelaire, a Belgian researcher. As early as 2017, he reported a flaw to Facebook in its content import tool. Because it is this function that scans your address book to suggest people you know that is in question.

But it is not specific to Mark Zuckerberg’s social network, whose number has also been leaked, and to its various services such as WhatsApp or Instagram. Many platforms and communication tools use it. That of Facebook has multiplied the concerns over time, each time with the promise of corrective measures. ” C‘is a recurring theme for Facebook that, whenever growth is involved, think twice before fixing something for the benefit of user privacy ”, adds the cybersecurity expert.

Lien YouTubeSubscribe to Frandroid

Wired recalls that, in 2013, Facebook was alerted by researchers to similar problems. In 2012, a data leak from the “Download your data” tool had enabled hackers to recover personal data that was not yet referenced by users (phone numbers, emails in particular). They had thereby activated the contact import function.

In 2018, the Privacy Commission of Canada’s investigation concluded that “ Facebook did not have appropriate safeguards in place prior to the breach to protect the personal information of users and non-users. Which in fact found their data as hacked contacts.

Not a vulnerability according to Facebook …

For Inti De Ceukelaire, the problem is still present. It is quite simple to list phone numbers and extract associated user information via import contacts feature. At the time, he submitted the flaw to Facebook’s Bug Bounty program, but the company did not consider the problem significant enough to warrant obtaining a reward, namely the recognition somewhere of a delicate bug. for the service.

Facebook simply replied that the platform could lower the maximum number of contact import submissions by a user – which here would take the form of a phone number enumeration attack to find users – , but that it was not a vulnerability. He also pointed out the “Who can search me” function in the privacy settings which could possibly contradict, and override the request not to disclose certain profile information reserved for the user only or his friends. .

By default,

By default, “Everyone” can find you with your email or phone number on Facebook

It was not until 2019 that the platform added a “Only me” parameter in the “Who can look for me” function. But the default function remains “Everyone” and it is thus always possible to enter your e-mail address or your telephone number if you have entered it to find yourself.

… But ultimately yes

The huge database that thus leaked last week could therefore be prepared at length and simply. In 2019, hacker @ ZHacker13, who presents himself more as a vulnerability hunter and researcher, submitted a vulnerability report on a similar bug in Instagram’s contact import tool. Hackers could extract data by carrying out an automated phone number enumeration attack, more effective than the one discovered in 2017. Facebook replied “ be already aware of the problem following an internal discovery ” and that this kind of vulnerabilities presented only a ” extremely low risk (…) unless you determine to which specific user ID an email address or phone number was linked. “

It took that Forbes publishes an article following his discovery so that Facebook finally recognizes his report as legitimate and pays him the bonus of $ 4,000 promised to any bug hunter. “It could have allowed a malicious user to imitate Instagram and search for phone numbers to find which users they belong to,” had then justified Facebook.

Serious risks of prosecution

Last Tuesday, Facebook used the same rhetoric to explain the recent vulnerability of its social network and the flaw that allowed the data of more than 500 million users to be recovered. ” We’ve made changes to prevent malicious actors from using software to imitate our app and download large sets of phone numbers to see which ones match Facebook users ”, explained the American platform, arguing that the leaked data was not as sensitive as health or financial data, and that there was no real proof that the hackers had recovered the data by hacking the system.

Facebook has paid for, and therefore admitted, a vulnerability in its contact import tool which turns out to be the same for Instagram and Facebook. Even if the company assures that the incidents occurred “before September 2019” (date of publication of the article by Forbes). According to Wired, building the discovered database would have required several data “scraping” sessions, probably before 2018. This would leave room for the opening of an investigation around the world, since 20 million French people are also concerned .

Source : Unsplash / Tim Bennett

Gamesdone : Unsplash / Tim Bennett

For Ashkan Soltani, former head of the US Federal Trade Commission, a watchdog, there is no doubt that Facebook’s caution betrays some concern. “Given the way they try to be so careful to indicate that they haven’t been hacked, I think they’re probably very aware that they could face a significant liability ”, he explained to the specialized media.


Leave a Reply

Your email address will not be published. Required fields are marked *