It looks like all our Graph Search privacy concerns weren't just the ravings of a paranoid, tinfoil-hat-wearing lunatic. Using Facebook's new comprehensive search tool, a tricksy little dev was able to compile a database holding thousands of Facebook users' personal phone numbers.
While the number of usable, identifiable phone numbers reached the thousands, Brandon Copley, the Dallas developer who exposed this major flaw in Facebook's privacy controls, was actually able to download 2.5 million different entries. Many of these, though, were either inactive or "not connected to a Facebook user with public settings."
Copley's extensive hacking, though discomforting, was supposedly executed with a seemingly noble goal — he wanted to expose Facebook's rampant availability of information as an invasion of its users' privacy. Naturally, Facebook disagrees, telling Tech Crunch:
Your privacy settings govern who can find you with search using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.
Copley first identified the vulnerability when he found goods that had been stolen from him listed on Craigslist. By entering the listing's phone number into Graph Search, he was easily able to track down the criminal. But while this helped him, he recognised how easy it might be to scrape the social network and put together a database. Upon sending in his concern to Facebook, a member of the security team replied:
I agree with you personally. We do have antiscraping protections (ratelimiting, bad ip blocks, etc) but it comes down to people controlling their privacy, we can make the privacy tools available and we can encourage them to use them but we could never just switch their privacy settings for them. So there is not much more we can do.
Deciding to take matters into his own hands at this point, Copley decided to "show them how a 'feature' like this is a security flaw." As a Facebook developer, he was able to use his access tokens along with the Facebook Search API to performs thousands of searches a day with the API token of a non-rate-limited app. Facebook then sent him a cease and desist letter claiming that he was "unlawfully acquiring Facebook user data," but the truth of the matter is, every piece of data Copley ended up with had been set to public — often by default.
All this is coming in the wake of another Facebook privacy scare just last Friday, in which a post on Facebook's security blog revealed that it had been exposing contact info for six million users, entirely unawares. While that bug has been closed, we'll have to wait and see what comes of this particular revelation by Copley. Though if this bevy of privacy concerns is any indication, there are certainly more to come. [Tech Crunch]