Just last month data concerning 500 million Facebook users was leaked and now another data breach has occurred on the social media platform.
A video circulating shows a tool that links Facebook accounts with their associated email addresses, even when users choose privacy settings that prevent such sharing.
The video shows the tool named Facebook Email Search v1.0, which could link Facebook accounts to as many as 5 million email addresses per day.
The person who found this vulnerability said that he went public with the video as Facebook told him it was not “important” enough to be fixed. In the video, he demonstrates what happens when he feeds the tool a list of 65,000 emails.
Facebook CEO Mark Zuckerberg at F8 Refresh. (Image: Facebook Newsroom)
“As you can see from the output log here, I’m getting a significant amount of results from them,” the researcher said as the video showed the tool crunching the address list. “I’ve spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts.”
In a statement, Facebook said: “It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.”
Facebook refused to comment on their initial reaction to sharing of the bug and terming it unimportant to warrant any action. A representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.
The report was first published by Ars Technica, a respectable technical website. Ars agreed not to identify the researcher who found the bug.
Earlier this year, Facebook had a similar vulnerability that was ultimately fixed.
“This is essentially the exact same vulnerability,” the researcher says. “And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it.”
Facebook has 2.80 billion monthly active users whose data has been collected on the premise that it is a relatively safe and minimal risk platform. But time and again Facebook has come under scrutiny for collecting and accessing massive amounts of data with no transparency on how this data is stored, accessed, and shared.
An email that the company inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to “frame this as a broad industry issue and normalize the fact that this activity happens regularly,” reports the Wired Facebook also makes a distinction between scraping and hacks or breaches.
“I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped,” the researcher said. It is not clear if others have used this tool to access Facebook’s massive database; but if it is out there, then rest assured that others have found access to it and have quietly exploited it.
Alon Gal, chief technology officer at the Hudson Rock cybercrime intelligence firm, while commenting on the previous leak on Facebook in April said, ”Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” Gal said on Twitter.
“Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook [is] supposed to treat the data with utmost respect,” Gal said. “Users having their personal information leaked is a huge breach of trust and should be handled accordingly.”
This is not the first time that Facebook has been embroiled in controversies over leaks or use of data. In 2016, a scandal around Cambridge Analytica, a British consulting firm that used the personal data of millions of Facebook users to target political ads, erupted and was even linked with the US elections.
