Approximately 6 million users affected; no evidence of malicious exploits of the bug
Facebook's security team made a post today to let users know of a bug that was discovered and fixed that has revealed some user's contact information to "friends" they did not intend to share with. The bug, which was pointed out to Facebook's White Hat Program by an independent entity, involved the combination of users uploading their contacts lists to find connections on Facebook, and the service's Download Your Information (DYI) tool. When users upload their contacts list to the site, Facebook analyzes it to recommend friends that you do not already have connections with, matching up phone numbers and email addresses to keep from offering duplicate contacts. When going through this analysis, Facebook inadvertently stored this personal information with user's profiles, allowing it to then be given to other users who downloaded their data with the DYI tool.
The end result, Facebook says, is that approximately 6 million Facebook users possibly had their phone numbers or email addresses made available to people who used the DYI tool to download their own (and therefore friends publicly available) Facebook data. For a vast majority of the users who had their data inappropriately shared, Facebook claims each individual address or number was only downloaded with the DYI tool once or twice. No other types of personal information was made available, and the DYI tool was not used by developers or advertisers, just individual users.
Marisa Miller
Cat Power
Moon Bloodgood
No comments:
Post a Comment