Facebook’s White Hat bug bounty program allows them to identify and fix security bugs and other issues and, today, the social networking giant have revealed an interesting bug that has been discovered via that avenue.
An as yet unnamed security researcher has submitted a bug report to Facebook that details an issue that could have led to a person’s contact details (email or phone number) being accessible by other users who shared some connection with them.
“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.”
Facebook went on to say that they subsequently disabled the DYI tool temporarily whilst they fixed the problem.
Approximately 6 million users had their email addresses and/or telephone numbers shared in this manner which is, of course, small fry compared with the access the NSA has (allegedly). Even so, Facebook have not received any complaints from users to suggest that the bug was exploited in any way.
The lucky security researcher who brought this bug to Facebook’s attention has been compensated with a bug bounty payment.