Saturday, 29 June 2013

Facebook bug affected more than 6 million users, says researchers from Packet Storm

Facebook NSA PRISMLook what we have here. If you remember, we informed you a few days back about the security bug in Facebook’s DYI (Download Your Information) tool that exposed contact details of almost 6 million users.  In response, the company apologized and mentioned that the effect of the bug was minimal, as people who received their friend’s data could already have that information.
However, according to Sophos, the effect of the DYI bug was much worse than the information provided by the social media giant. The numbers provided by the company doesn’t match considering that it’s a billion user network. Even if you don’t have your information on Facebook, the company may have gotten the information from the people in your network who gave Facebook access to their contacts list.
The whole debacle was unveiled by a company named Packet Storm, whose researchers had prior test data that verified the leak and were able to compare it with the numbers released by Facebook. In short, the number doesn’t simply add up.
This is what Packet Storm has to say about the entire situation,
We compared Facebook email notification data to our test case data. In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure. They spent the weekend analyzing our information and we spent Monday and Tuesday sending questions back and forth.
Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used it’s own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the “bug” when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.
When asked about the data of non-Facebook users, the company declined to comment after Packet Storm asked them to produce a report of all the information affected by this bug. In response, this is what the social giant had to say:
They were not contacted and the information was not reported. Facebook felt that if they attempted to contact non-users, it would lead to more information disclosure.
The folks at Packet Storm even provided Facebook a simple solution to tackle this problem but the company declined to comment and we don’t know yet if the solution has been implemented or not.
Let’s face it, we all know social networks may not be the safest place to put all your contact information including your email address and phone numbers. As a precautionary measure, Sophos suggests that all users should remove their contact information from social networking sites. It also recommends people to filter their friends list and remove any person they don’t know or haven’t seen in a long time.

Source: Packet Storm via Sophos

No comments:

Post a Comment