The security researchers who found Facebook's shadow profiles vulnerability have compared their numbers to what Facebook told its users in emails, and the numbers don't match.
They say Facebook told users the data exposure is much less than what the researchers found, and the researchers also say Facebook is hoarding non-user contact information — seen when it was also shared and exposed in the leak.
Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests.
Since at least 2012, Facebook users who used the Download Your Information (DYI) tool to get their data history record also got an address book with contacts users had never provided to Facebook.
Facebook explained the issue to ZDNet Sunday after user anger exploded — saying that when a Facebook user uploads an address book, the social network obtains all contacts in the user's database and saves all of them.
Users are still furious and were unaware that their not-for-sharing, offsite phone numbers and email addresses are being collected, stored, secretly matched to them (and now accidentally shared) by Facebook.
In its Friday email, Facebook disclosed the security and privacy flaw to users, but no one knew that Facebook's email wasn't telling the whole story — except security researcher Michael Fury (who originally found the vulnerability) and colleagues at Packet Storm Security (and anyone quietly exploiting the data breach).
Because Packet Storm had prior test data verifying the leak, they were able to compare what they knew was actually being revealed in the DYI reports against what Facebook reported to its users via email — as well as what Facebook told the press.
Packet Storm wrote in Facebook: Math of the Aftermath,
We compared Facebook email notification data to our test case data. In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed.
For another individual, they only told him about 3 out of 7 pieces of data were disclosed.Read More...
- News 06-27-13
- Linux Today - Fedora 19 RC2 "Schrödinger's Cat" Is Now Available for Testing
- Fedora 19 RC2 "Schrödinger's Cat" Is Now Available for Testing
- Linux Today - Raspberry Pi bot tracks hacker posts to vacuum up passwords and more
- Raspberry Pi bot tracks hacker posts to vacuum up passwords and more | Ars Technica
- Linux Today - Find an open source RSS reader today
- Open source alternatives to Google Reader | opensource.com
- Astrosmash style video game as Sony SmartWatch firmware
- Atari 2600 has a Raspberry Pi hiding under the hood
- Building an IR mouse interface for the disabled
- Going, Going, Still Going? Voyager 1 at Solar System’s Edge - NYTimes.com
- PayPal Galactic to Make Space Money Transfers : Discovery News
- Ugly Animals That Need Saving Too: Photos : Discovery News
- Is Your Fido Really a Furry Baby? – WebMD
- Firm: Facebook 'bug' worse than reported; non-users also affected | ZDNet
- Five Apps: Free disaster recovery | TechRepublic
- Packet Storm
- Search files: Facebook 'bug' ≈ Packet Storm
- fin1te - Hijacking a Facebook Account with SMS
- Facebook Information Disclosure ≈ Packet Storm
- DNews: Can Air Pollution Be Good for the Earth? : Discovery News