• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Facebook is Sharing “Shadow Contact Information” with Advertisers

October 1, 2018 By Trevor Collins

Facebook did not have a good week last week and details are still coming. At the start of the week, Facebook users found that Facebook uses “shadow contact information” from 2-factor authentication and friends phonebooks to target advertisements to users. Later in the week, Facebook announced that at least 50 million users accounts were compromised through a series of vulnerabilities. To top it off a user was going to exploit a bug that would allow him to delete a user’s account such as Mark Zuckerberg Facebook account.  He has since backed off from showing this though.

In these big headlines about Facebook some details have been missed. The Northeastern University research paper that exposed Facebook for using 2-factor authentication phone numbers and friends phone books addresses for ads has more information in the paper on what Facebook uses. They tested 7 different ways that Facebook might obtain your PPI (personally identifying information).

  • PII added directly to a user’s Facebook profile
  • PII provided to the Facebook Messenger app
  • PII provided to WhatsApp
  • PII shared with Facebook when sharing a phone’s contacts
  • PII uploaded by advertisers to target customers via custom audiences
  • PII added to user accounts for 2FA
  • PII added for login alerts

Some are obvious like adding information to your Facebook profile directly. One that was missed in most articles online was login alert information. Login alert information helps to notify you if a new device logs into your Facebook account. Like 2FA, one would expect that this information would be secure and not given out to advertisers. Yet researchers found login alert information like your email address and your phone number given for login alerts were used for targeted advertisement. It is unlikely that this information ever goes away. Once Facebook has it they don’t remove it even at the request of the user. Facebook privacy policy says they delete your information, but it isn’t clear what they consider your information vs. other information they have on you. Facebook won’t even disclose the information they have on you according the researchers.

Researchers may have found a silver lining. WhatsApp data and data uploaded by advertisers were not used later for tagged ads, suggesting that Facebook doesn’t keep this information. At least in the same place.

If you want to learn more about Facebook’s use of shadow contact information, check out this week’s episode of The 443 Podcast where Marc and Corey discuss the topic.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Infosec news

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use