THE PROFILE NAMES, email addresses, and phone numbers of over 500 million Facebook users have been circulating publicly online for nearly a week. It took days for Facebook to finally acknowledge the root cause, an issue the company says it fixed in 2019. But now researchers are saying Facebook knew about similar vulnerabilities for years before that, and it could have made a far greater effort to prevent the mass scraping in the first place.
At issue is Facebook’s “content importer,” a feature that combs a user’s address book to find people they know who also use Facebook. Many social networks and communication apps offer some version of this as a sort of social lubricant. But Facebook’s contact import tool in particular has had a number of known problems, and supposed fixes, over the years.
“I’m sure other companies are sweating as well now. It’s not just Facebook,” says Inti De Ceukelaire, a Belgian security researcher who reported a vulnerability in Facebook’s contact import feature to the company in 2017. “But it’s a recurring theme for Facebook that whenever growth is at stake, they will think twice about fixing something to benefit the user’s privacy.”
De Ceukelaire and other researchers had already alerted Facebook to similar issues. In 2012, Facebook made changes that resulted in the site’s “Download Your Information” tool leaking phone numbers and email addresses that users had not supplied themselves through the contact import feature. A researcher disclosed the issue to Facebook in 2013; in 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland investigated the finding.
“Our Office finds that FB did not have appropriate safeguards in place prior to the breach in order to protect the personal information of users and non-users,” the investigation found.
That incident differs from the more recent Facebook controversy, in which attackers were able to “scrape” Facebook by enumerating batches of possible phone numbers from more than 100 countries, submitting them to the contact import tool, and manipulating it to return the names, Facebook IDs, and other data users had posted on their profiles. Still, the lapse spoke to the potential for the contact import tool to access sensitive data and the need to look carefully for bugs and inadvertent behavior in the feature.
De Ceukelaire’s 2017 research relates much more directly to the methods the attackers used to scrape the recent, massive data set. “I discovered it is relatively simple to reveal private phone numbers on Facebook, uncovering some phone numbers of Belgian celebs and politicians,” De Ceukelaire wrote in February 2017. “Even though this trick only seems to work in small countries such as Belgium (+/- 11.2 million people), a significant number of people is affected by this simple, yet effective privacy leak.”
De Ceukelaire had found a manual and somewhat limited, but still effective, way to enumerate phone numbers and extract their corresponding user information from Facebook through the contact import feature. He submitted the findings to Facebook’s bug bounty program, but in communications reviewed by WIRED, the company said that the issue didn’t qualify for a payout.
The researcher had raised two crucial points, though. First, attackers might well look for more powerful and efficient ways of abusing the contact import feature through phone number enumeration attacks. Facebook told De Ceukelaire at the time that it might revise its rate limits—the maximum numbers of submissions one can make—for the contact import feature, but that it did not view the issue as a vulnerability. De Ceukelaire further flagged that users might not understand that the privacy controls they set for information on their Facebook profile could be undermined by another Facebook privacy setting known as “Who can look me up.”
Facebook lets you set your phone number and email address as visible to “Only me.” But it also has an entirely separate setting, called “Who can look me up,” that dictates whether someone can find you on Facebook using your phone number or email address through the contact import tool. Even if your phone number is set to “Only me” on your profile, it could still be set to “Everyone” under “Who can look me up.” In that case, if someone guessed your phone number they would be able to link it to your other public Facebook information.
At the time of De Ceukelaire’s research, Facebook didn’t even offer an “Only me” option within the “Who can look me up” control. The options were “Everyone,” “Friends of friends,” and “Friends.” In May 2019 the company added an “Only me” option. Go to “Settings & Privacy,” “Settings,” “Privacy,” and scroll to “How People Find and Contact You” to find the “Who can look me up” email address and phone number controls. The feature is set to “Everyone” by default.
And then there’s the now public 2019 user data trove. Facebook has not yet explained the specific technical mechanism that enabled its creation. But a researcher who goes by @ZHacker13 submitted a vulnerability report in August 2019 about a bug in Instagram’s contact import feature that could pull user data through a phone number enumeration attack that was even more automated and efficient than the one De Ceukelaire demonstrated in 2017. Facebook eventually said in September 2019 that its security team was “already aware of the issue due to an internal finding.”
Initially, though, Facebook told @ZHacker13 that enumeration vulnerabilities are “extremely low risk” unless they specifically “allow an attacker to determine which specific user ID an email address or mobile phone number is linked to,” which @ZHacker13’s finding did. In September 2019, Forbes broke the news about @ZHacker13’s disclosure saga.
“At the beginning Facebook refused to acknowledge my report as legit, even after I provided them a full proof of concept,” @ZHacker13 told WIRED on Thursday. “After I talked with Forbes, they realized they made a mistake, fixed the issue, and paid me a small bounty of $4,000.”
In its official acknowledgement of the Instagram contact import vulnerability, Facebook wrote, “This could have let a malicious user imitate Instagram and look up phone numbers to find which users they belonged to.”
The statement echoes Facebook’s explanation on Tuesday of the vulnerability that enabled an actor to scrape data from more than 500 million users: “We made changes to prevent malicious actors from using software to imitate our app and upload large sets of phone numbers to see which ones matched Facebook users.”
Facebook has consistently emphasized this week that stopping scrapers is an endless cat-and-mouse game. The company also argues that the leaked data is not as sensitive as health or financial information. And Facebook has said that pilfering data through scraping does not mean that attackers exfiltrated the data “through hacking our systems.” By reluctantly awarding a bug bounty for the Instagram finding, though, Facebook has acknowledged publicly that it considers this type of issue with the contact import tool to be a vulnerability.
Some details of the recent leak’s timeline remain unclear. Facebook says the scraping took place “prior to September 2019,” but it has not clarified exactly when it happened, how many incidents were involved, or when Facebook learned about the malicious activity. Analysis of the data set seems to indicate that it was cobbled together over a number of scraping sessions that began at least in 2018, if not earlier, and apparently went on into June 2019, if not later. The company’s careful word choice, though, likely reflects a concern that it could be investigated for failing to disclose a data breach under various laws and agreements around the world, including by the US Federal Trade Commission. Facebook entered into agreements with the FTC in both 2011 and June 2019 that seemingly would have required the company to disclose the finding to the agency.
“Given the way they’re trying to be so careful to indicate that they weren’t hacked, I think they are probably very mindful of the fact that they could be facing significant liability,” says former Federal Trade Commission chief technologist Ashkan Soltani.