Hot on the heels of a significant data exposure involving 500 million accounts, Facebook is once again in the spotlight due to another security lapse.
A circulating video depicts a software capable of gathering email IDs linked to Facebook profiles, disregarding user-imposed privacy settings aimed at preventing such disclosures.
This exploit, known as Facebook Email Search v1.0, is reported to have the ability to process up to 5 million email addresses daily, directly linked to user accounts.
The whistleblower behind the discovery opted to go public after Facebook downplayed the severity of the flaw, dismissing the need for immediate correction. In the clip, he demonstrates the tool’s effectiveness on a batch of 65,000 emails.
“You can see the substantial amount of results gleaned from the tool’s log,” the investigator remarked while showcasing the tool ingesting the extensive list. “With an investment of around $10 for about 200 Facebook accounts, I’ve rapidly parsed through 6,000 email addresses in mere minutes,” he added.
Facebook responded, “We mistakenly concluded this bug report prematurely without passing it to the correct team. We acknowledge and value the research efforts and are implementing measures to contain this issue while we investigate the researcher’s claims further.”
Facebook abstained from discussing their initial tepid response to the bug revelation, which they considered not significant enough for action. The company’s engineers have purportedly neutralized the vulnerability by disabling the exposed method, as demonstrated in the video.
The original report was made public by Ars Technica, which is known for its technology coverage. They chose not to disclose the identity of the researcher who uncovered the bug.
Facebook previously addressed a similar security concern earlier in the year.
“This vulnerability is nearly identical to the previous one,” the investigator stated. “Regardless of my demonstration to Facebook and their awareness, they have directly informed me that they will not act against it.”
With 2.80 billion monthly active users, Facebook claims to collect data on a supposedly secure platform with minimal risks. However, the repeated concerns over data privacy raise questions about the transparency of Facebook’s data handling practices.
In response to the inadvertent leak, a leaked email intended for a DataNews journalist suggested that Facebook’s PR response should “frame this as an industry-wide challenge and normalize the frequency of such occurrences,” according to a report from Wired.
“The risk posed by this vulnerability is considerable, and I seek support to halt its exploitation,” the researcher stated. The scale of the exploit’s use by others to access Facebook’s extensive database remains unclear, but if the tool is publicly available, others have likely stumbled upon it and exploited it discreetly.
Alon Gal, the chief technology officer at Hudson Rock, a cybercrime intelligence firm, addressed the previous April incident on Facebook, stating, “Malevolent actors will undoubtedly leverage this data for social engineering, fraud, hacking, and marketing endeavors,” as per his Twitter commentary.
“When individuals give their personal details to a trusted company like Facebook, it is expected that Facebook will handle their data with the utmost care,” Gal remarked. “The leakage of this personal information constitutes a profound breach of trust and warrants appropriate action.”
This incident is not Facebook’s first encounter with controversies surrounding data leaks or usage practices. In 2016, the Cambridge Analytica scandal revealed that the British consulting company had misused the personal data of millions of Facebook users to tailor political advertisements, implicating the incident in the US elections.