Facebook to fix bug leaking users' phone numbers
Roughly 1/1000 users were affected by the mobile apps glitch
IDG News Service - Facebook is rolling out a patch to fix a rare bug in its API that had apparently been leaking users' phone numbers to app developers.
The glitch, which was first reported back in June 2012, was affecting the email field in some mobile apps accessing Facebook's API (application programming interface).
During the registration process users would give the developer permission to access their email address on file with Facebook. But instead of returning an email address, the app's email field was giving developers the user's phone number instead.
The bug had been occurring only once in every thousand cases, Facebook said. But with some larger app developers having multiple thousands of users, the incidence rate is significant.
One app developer affected by the glitch, however, reported a higher incidence rate. Nathan Cobb, research investigator with the American Legacy Foundation, an antismoking nonprofit, said their group's smoking cessation app, Ubiquitous, was giving them phone numbers for about one in every 200 users.
The Ubiquitous app is part of a study funded by the National Institutes of Health on health interventions through Facebook, and the bug was "making it impossible for us to follow up with users as part of the study," he said.
It is not clear whether any particular mobile operating system was more affected by the bug than another.
"We expect the issue to be resolved soon," spokeswoman Erin First said in an email Wednesday, with a notice on Facebook's developer page saying a fix would be pushed out.
Facebook said later that the bug does not breach its terms of service or users' privacy because the user is still implicitly giving the developer permission to access the phone number if that is the contact information the user has on file with Facebook.
Facebook already lets people search for users on the site by the contact information they have listed and set as public, which may include email addresses and phone numbers.
The bug had been left unpatched for almost nine months. Facebook did not immediately clarify whether it had any evidence of developers using the numbers to call users to promote their services.
Lately the social network has been forced to address other privacy concerns connected to Graph Search, its new social search engine currently in beta launch. The tool is designed to let users more easily find things on the site through their social connections, but some have questioned whether it reveals too much.
The site has sought to explain in recent weeks, for instance, why Graph Search does not compromise the privacy rights of minors.
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!