Facebook quietly stopped apps from accessing users' private data just two weeks ago
Facebook exposed private lists of users' friends to app developers without their knowledge until two weeks ago, despite claiming to have blocked this functionality three years ago.
The loophole allowed apps to collect the friend lists of anybody who had installed the app, exposing their names and profile photos. Facebook quietly switched the "taggable friends" interface off on April 4, burying the announcement among a series of other privacy measures.
Facebook chief Mark Zuckerberg was grilled by US Congress last week.
In Mark Zuckerberg's testimony to US Congress, he said: "In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the Facebook -information apps could access. Most importantly, apps like Kogan's could no longer ask for information about a person's friends unless their friends had also authorised the app".
However, Facebook failed to shut down the taggable friends feature in 2014, which granted similar access. This meant apps were able to mine information including photos and names for another three years.
By default, Facebook profiles allow users to "tag" their friends in pictures and status updates, and the feature must be switched off manually. Since the majority of users do not change their default settings, anybody who installed a Facebook app, such as a quiz or personality test, exposed most of their friends' names.
Facebook has not revealed how many developers had access to this API or whether it has any evidence of abuse. When the Cambridge Analytica debacle came to light, it warned that it was aware of "malicious actors" who may have abused its systems to create profiles of people without their knowing.
While the taggable friends feature would not grant as rich a data set as ones accessed before 2014, it may have provided a starting point for a firm or researcher to target them for further collection. It could be used to calculate things such as credit risk, based on what friends had in common, as well as political influence by association.
Bryan Carney, a journalist and developer who first alerted Facebook to the bug, said that he was able to pull his entire friend list through the loophole and noticed hackers discussing how to use the information on web forums. Mr Carney alerted Facebook through its bug bounty programme.
Source: Read Full Article