Facebook did not have a good week last week and details are still coming. At the start of the week, Facebook users found that Facebook uses “shadow contact information” from 2-factor authentication and friends phonebooks to target advertisements to users. Later in the week, Facebook announced that at least 50 million users accounts were compromised through a series of vulnerabilities. To top it off a user was going to exploit a bug that would allow him to delete a user’s account such as Mark Zuckerberg Facebook account. He has since backed off from showing this though.
In these big headlines about Facebook some details have been missed. The Northeastern University research paper that exposed Facebook for using 2-factor authentication phone numbers and friends phone books addresses for ads has more information in the paper on what Facebook uses. They tested 7 different ways that Facebook might obtain your PPI (personally identifying information).
- PII added directly to a user’s Facebook profile
- PII provided to the Facebook Messenger app
- PII provided to WhatsApp
- PII shared with Facebook when sharing a phone’s contacts
- PII uploaded by advertisers to target customers via custom audiences
- PII added to user accounts for 2FA
- PII added for login alerts
Researchers may have found a silver lining. WhatsApp data and data uploaded by advertisers were not used later for tagged ads, suggesting that Facebook doesn’t keep this information. At least in the same place.
If you want to learn more about Facebook’s use of shadow contact information, check out this week’s episode of The 443 Podcast where Marc and Corey discuss the topic.