As Facebook CEO Mark Zuckerberg discussed about making his platform more secure, a bug in Facebook Messenger allowed websites to gain access to users’ data, including who they have been chatting with, say researchers.
Now fixed by Facebook, the vulnerability in the web version of Messenger allowed any website to expose who you have been messaging, revealed Ron Masas, researcher with cyber security company Imperva, in a blog post late on Thursday.
The researcher reported the vulnerability to Facebook under their responsible disclosure programme and the social media platform mitigated the issue.
In November 2018, Masas and his team discovered a Facebook bug that allowed websites to extract data from users’ profiles via cross-site frame leakage (CSFL) which is known as a side-channel attack performed on an end user’s web browser.
“Browser-based side-channel attacks are still an overlooked subject. While big players like Facebook and Google are catching up, most of the industry is still unaware,” wrote Masas.
Facebook Messenger has over 1.3 billion users globally.
A confidential Facebook document reviewed by The Intercept has revealed that the social networking giant is offering private data of its users without their knowledge or consent to 100 different telecom companies and phone makers in 50 countries.
Confidential documents seen by the website showed late Monday that Facebook is helping operators and phone makers “create targeted advertising by supplying them with surveillance data slurped directly from users’ smartphones”.
Not only that, the social networking giant is also collecting data from its main iOS and Android apps, Messenger and Instagram apps — even snooping into the phones of children as young as 13.
Through a tool called “Actionable Insights”, Facebook is allegedly collecting data including technical details about smartphones, cellular and Wi-Fi networks used by Facebook users, locations visited social groups and interests.
Facebook reacted in a statement late Monday: “We do not, nor have we ever, rated people’s credit worthiness for Actionable Insights or across ads, and Facebook does not use people’s credit information in how we show ads”.
According to the report, “the data has been used by Facebook partners to assess their standing against competitors, including customers lost to and won from them, but also for more controversial uses like racially targeted ads”.
Facebook launched “Actionable Insights” tool last year “to address the issue of weak cellular data connections in various parts of the world.”
“The confidential Facebook document shows how the programme, ostensibly created to help improve underserved cellular customers, is pulling in far more data than how many bars you’re getting,” said the report.
“The Facebook mobile app harvests and packages eight different categories of information for use by over 100 different telecom companies in over 50 different countries around the world, including usage data from the phones of children as young as 13,” the report claimed.
These categories include use of video, demographics, location, use of Wi-Fi and cellular networks, personal interests, device information, and friend homophily, an academic term of art.
From these categories, a third party vendor could learn an extraordinary amount about patterns of users’ daily life.
The news came after Facebook’s photo-sharing service Instagram saw itself in trouble as personal data of millions of celebrities and influencers were allegedly exposed on its platform in a massive database that was traced to Mumbai-based social media marketing firm Chtrbox.
The database contained 49 million records of several high-profile influencers, including prominent food bloggers, celebrities and other social media influencers, TechCrunch reported. (IANS)