weerapat1003 - stock.adobe.com

Third-party Facebook apps expose 540 million users’ details

Researchers have discovered another trove of Facebook users’ details, showing there is still no control over data shared with third parties, potentially exposing Facebook to more regulatory and legal action

A year after the Cambridge Analytica data sharing scandal, researchers have discovered publicly exposed data stores belonging to two more third-party developed Facebook apps.

The cyber risk team at security firm UpGuard found one data store originating from the Mexico-based media company Cultura Colectiva of 146GB, containing more than 540 million records, detailing comments, likes, reactions, account names, Facebook IDs and more.

A separate backup from a Facebook-integrated app called “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket, containing columns for Facebook user IDs, friends, likes, music, passwords and more for 22,000 users.

However, the discovering team said the passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but said the passwords were stored in plain text, which would put users at risk who had reused the same password across accounts.

The UpGuard team also notes that the app appears to have ceased operation in 2014, adding that this offers little consolation to the app’s users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time. 

Despite Facebook making some effort to reduce third party access to users’ data in the wake of the Cambridge Analytica scandal, its discoveries show that the “data genie cannot be put back in the bottle” and that data about Facebook users has been spread far beyond the bounds of what Facebook can control today.

“Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak,” they said in a blog post.

Read more about Facebook and privacy

The “At the Pool” data was taken offline while UpGuard was still investigating its likely origins. The investigators do not know whether that was  a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time.

On the other hand, UpGuard said the Cultura Colectiva data was secured only on 3 April 2019 after Facebook was contacted by Bloomberg for comment, despite notifying the company on 10 January and following up four days later. UpGuard also notified Amazon Web Services on 29 January, who contacted Culture Colectiva.

The discoveries highlight the “inherent problem of mass information collection”, which is that it does not naturally go away, and a derelict storage location may or may not be given the attention it requires, the UpGuard team said.

For app developers on Facebook, they said, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users.

For Cultura Colectiva, data on responses to each post allows them to tune an algorithm for predicting which future content will generate the most traffic.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard team said.

“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

Added context

Putting the data discovery in context, Ilia Kolochenko, CEO of web security company High-Tech Bridge, said the leak is not as dramatic as it first appears.

“The 540 million record database contains mostly publicly accessible data, while the second database with passwords in plaintext contains just 22,000 records is a drop in the ocean of leaked credentials in 2018.

“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorised copies, some of which are being sold on black market already. It is impossible to control this data, and users’ privacy is at huge risk.

“Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties.

“Facebook may now face numerous multimillion civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities." 

Although Facebook has rules about how that data can be used and stored, there is little means of Facebook actually enforcing those policies until after some damage has been done, said Paul Bischoff, privacy advocate at consumer support site Comparitech.com.

“Cambridge Analytica was the most high profile case that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn’t be, including these ones. And even though Facebook has limited what information third-party developers can access, there’s still nothing Facebook can do about abuse or mishandling until after the fact.”

Guidelines for partners

Renaud Deraison, chief technology officer and co-founder at Tenable, said it looks like Facebook does not have enforced guidelines when it comes to how its partners handle cyber security. 

“As long as cyber security remains an afterthought in the digital economy, we’ll continue to see these kinds of easily preventable data leaks,” he said.

Tim Erlin, vice-president, product management and strategy at security firm Tripwire, said organisations cannot transfer responsibility for securing sensitive data by moving it to the cloud. 

“When it’s technically feasible to continuously monitor Amazon storage settings for exactly this scenario, there’s no excuse for not protecting your customer data from this type of breach. Facebook has been caught, like so many others, by third-party partners exposing their shared data.”

Sam Curry, chief security officer at security firm Cybereason, said the next steps for Facebook should including making privacy a core value.

“Create a senior post to own privacy, staff it and back it. Then announce a 90 days survey. Call in independent advisors and observers. Then take 30 days to create and publish a plan in place to fix what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.”

Read more on Privacy and data protection