Approximately 6 million Facebook users had their email addresses or phone numbers inadvertently shared as a result of a software security glitch, the company recently announced. The bug was discovered by a researcher who submitted it to Facebook’s White Hat program, and the data leaks occurred gradually over the course of a year, Reuters reported.
According to Facebook, the bug resulted from an error in the algorithm the social network uses to help people find the profiles of those in their contact lists. Once that data is uploaded, Facebook scans it to rule out contacts that have already been added as friends, among other functions. However, because of the bug, some of the information was inadvertently stored in association with user accounts, enabling someone who downloaded an archive of their account using the service’s Download Your Information tool to potentially see a list of email addresses or phone numbers of people with whom they share some connection.
No other types of personal or financial information were shared, the company stated. Additionally, almost all the contact information exposed was only included in a download once or twice, meaning that only one person could have accessed it. Facebook temporarily disabled the DYI tool and has since issued a fix. The company added that it has no evidence of any wrongdoing or active exploitation, but it apologized profusely for the error.
“Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” the company stated. “Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.”
Potential for exposure
Facebook has contended with user complaints about exposing personal information for years, making this glitch the latest in a series of potential blows to the company’s trust. Most recently, it was disclosed that Facebook and other companies had been turning over large stores of user data to a secret U.S. government surveillance program. With user trust on the line, avoiding software security incidents is imperative for a company like Facebook.
The company noted that it implements extensive security safeguards in its development process in addition to sponsoring a bug bounty program. Such efforts can be enhanced with the use of additional static analysis or code review tools, which enable developers to catch errors prior to their release.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.