Data-slurping Facebook Graph Search flaw revealed

A mobile developer has discovered what he claims is a security vulnerability in the Facebook Graph Search that allowed him to automate the compilation of a list of some 2.5 million phone numbers – some of which are tied to Facebook accounts and, therefore, user identities – to prove a point to the company.

When Brandon Copley first discovered this flaw this last March, he tipped off Facebook to its existence so that they could patch it.

“I used this to catch a criminal-someone was selling stolen goods on Craigslist, and I had their number, and used this to find who that person was on Facebook and from there reported them to the police,” he explained to the security team.

Unfortunately, the company responded by saying that it considers it a normal feature and that it’s up to the users to safeguard their privacy with the tools made available to them by the social network.

Not satisfied with their answer and armed with his own access tokens from his developer account, Copley took advantage of the Facebook Search API and began compiling the list. Then, after having his account banned a couple of times, he finally received a cease and desist letter from Facebook.

“You are unlawfully acquiring Facebook user data,” it stated. “It appears that you are accessing Facebook through automated means and stealing Facebook access tokens in order to scrape data from Facebook’s site without permission.”

According to Tech Crunch, Facebook also requested from Copley to share the methods he used to
scrape Facebook user data, information about the persons he discussed his methods with and information about what he shared with them, access to user data he scraped from Facebook, and names of persons he shared any of the user data with.

Finally, he said, they mentioned Andrew Auernheimer’s case and sentence, probably as an incentive for Copley to comply with their requests and stop the data scraping. Still, no litigation plans were mentioned.

But he obviously thinks he has the right to harvest that information, as it has, after all, made public by the users themselves. In fact, he continues his research, and has ostensibly found an ever easier way for continuing to compile the list.

I think that both Facebook and Copley are right in this case, but that Facebook might consider modifying the feature. After all, there are malicious individuals out there who could use it to compile a comprehensive list of future targets.

“We see personal information from Facebook used by spammers all the time,” Cloudmark researcher Andrew Conway commented for Help Net Security. “If a spammer has your email address, they can look it up in Graph Search and get to your profile.”

“Then they look up one of friends, and put their name in the From line of a spam email sent to you. This is all being done automatically of course. It looks as if the email is coming from one of your friends, though if you look at the email address closely, it’s not one your friend would use. However, an email that appears to be from a friend is a lot more likely to be opened than a typical spam message. The spammers software will often choose a friend with the same last name if they can, so it looks as if the email is coming from a family member. We saw one spam message which was apparently addressed to a mother by her six month old baby! If a friend tells you they get spam from you, there’s a good change the problem is that their Friends list on Facebook is public.”

“Another trick that spammers use is to search for random phone number in Graph Search,” he also pointed out. “If they get a search result, then they take the first name from the profile, and send a text message addressed to that person by name. There’s an example in the blog post, and we have many more! Text messages are a lot more trusted than email messages, especially when they are addressed to the recipient by name.”

Conway says that amidst all this, the good news is that privacy settings on Facebook are a lot easier than they used to be.

“Just click on the Settings Icon in Facebook (that’s the little cog wheel on the top right) and select Privacy Settings. Make sure that Who can look me up? is set to Friends to protect yourself from Graph Search abuse. There’s one other place you should check as well. Click on Edit Profile under your picture on the top left of the Facebook home page, click on the button to edit your contact information and make sure your email address and phone number there are set to Friends or Only Me.”