Third Parties in Spotlight as More Facebook Data Leaks

  /     /     /  
Publicated : 23/11/2024   Category : security

Third Parties in Spotlight as More Facebook Data Leaks


Two third-party services left Facebook user data exposed online -- in one case, 540 million records of user comments -- highlighting the ease with which third-party developers can access data and the risk of lax security.


A Mexican media companys unprotected Amazon S3 container exposed more than 540 million records of Facebook users comments and interests, while a defunct integrated Facebook app, At the Pool, left online sensitive information of more than 22,000 users, cloud-security firm UpGuard announced on April 3.
The data, found by the companys storage-scanning service, had explicitly been saved in two separate Amazon Simple Storage Service (S3) buckets, allowing public downloading,
according to a blog post
. The larger data set, left online by Mexican media firm Cultura Colectiva, consisted of 146GB of comments and whether other users liked or responded to those posts, says Chris Vickery, director of cyber-risk research at UpGuard.
In this concentrated mass, 540 million records, this is the same type of data that companies like Cambridge Analytica, or anyone else in the marketing [or] psychographic field, can exploit to develop … profiles and really learn how to control a population, he says. In the aggregate, it is scary.
Third-party developers and corporate users of Facebooks information have become a large security and public-relations problem for the company. In 2018, a Facebook insider revealed that Cambridge Analytica and its parent company, the SCL Group, had
collected data on millions of Americans
as a prelude to profiling them and targeting advertising to influence the 2016 presidential election. Soon after, the company
revealed
that most of its users likely had had their profiles scraped by third-party developers. Multiple lawsuits have since been
filed against Facebook
.
Yet the leaks have not stopped. In December, an issue with Facebooks photo API may have given third-party developers access to the
photos of 6.8 million users
. In June, Facebook revealed that a bug had inadvertently set the profiles of
14 million users to public.
The run of privacy and security issues underscores the lack of control Facebook has over the application developers who use the companys data to create new services. In a statement to Dark Reading, Facebook stressed that the servers exposing the latest data did not belong to the company.
Facebooks policies prohibit storing Facebook information in a public database, a spokesperson said in a statement. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect peoples data.”
Often, the leaks are not due to any sophisticated attack but by a misconfiguration on the part of the third-party firms. Amazon S3 instances are secure by default and have to be explicitly set to allow public downloading, according to UpGuards Vickery.
In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security, UpGuard stated in its blog post. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.
Such misconfiguration should be easily detected by the firms. Scanning services, automated developer testing tools, and other techniques could be used to detect such issues, says Renaud Deraison, chief technology officer and co-founder of Tenable, a cyber defense firm.
We continue to see headline-grabbing data leaks and breaches that are the direct result of a simple misconfiguration, he says. And well continue to see these issues so long as speed trumps security.
While the company has pushed much of the responsibility for the data exposures to the third-party custodians of the data, Facebook needs to step up, Mukul Kumar, chief information security officer and vice president of cyber practice at security-management firm Cavirin, said in a statement.
Facebook and others need to go through their records, and reach out to their various partners to secure any customer data, he said. Given that some of these partners may not have the expertise or may no longer exist, Facebook may need to work directly with the public cloud providers, and if they dont take the initiative, the government should intervene.
Related Content:
Facebook: Most Profiles Likely Scraped by Third Parties
Exposed Consumer Data Skyrocketed 126% in 2018
Facebook Rolls Out Data Abuse Bounty Program
Financial Firms Scrutinize Third-Party Supplier Risk
Facebook Bug Sets 14M Users Settings to Public
 
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Third Parties in Spotlight as More Facebook Data Leaks