Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/4/2019
05:20 PM
Robert Lemos
Robert Lemos
News
50%
50%

Third Parties in Spotlight as More Facebook Data Leaks

Two third-party services left Facebook user data exposed online -- in one case, 540 million records of user comments -- highlighting the ease with which third-party developers can access data and the risk of lax security.

A Mexican media company's unprotected Amazon S3 container exposed more than 540 million records of Facebook users' comments and interests, while a defunct integrated Facebook app, At the Pool, left online sensitive information of more than 22,000 users, cloud-security firm UpGuard announced on April 3.

The data, found by the company's storage-scanning service, had explicitly been saved in two separate Amazon Simple Storage Service (S3) buckets, allowing public downloading, according to a blog post. The larger data set, left online by Mexican media firm Cultura Colectiva, consisted of 146GB of comments and whether other users liked or responded to those posts, says Chris Vickery, director of cyber-risk research at UpGuard.

"In this concentrated mass, 540 million records, this is the same type of data that companies like Cambridge Analytica, or anyone else in the marketing [or] psychographic field, can exploit to develop … profiles and really learn how to control a population," he says. "In the aggregate, it is scary."

Third-party developers and corporate users of Facebook's information have become a large security and public-relations problem for the company. In 2018, a Facebook insider revealed that Cambridge Analytica and its parent company, the SCL Group, had collected data on millions of Americans as a prelude to profiling them and targeting advertising to influence the 2016 presidential election. Soon after, the company revealed that most of its users likely had had their profiles scraped by third-party developers. Multiple lawsuits have since been filed against Facebook.

Yet the leaks have not stopped. In December, an issue with Facebook's photo API may have given third-party developers access to the photos of 6.8 million users. In June, Facebook revealed that a bug had inadvertently set the profiles of 14 million users to "public."

The run of privacy and security issues underscores the lack of control Facebook has over the application developers who use the company's data to create new services. In a statement to Dark Reading, Facebook stressed that the servers exposing the latest data did not belong to the company.

"Facebook's policies prohibit storing Facebook information in a public database," a spokesperson said in a statement. "Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data.”

Often, the leaks are not due to any sophisticated attack but by a misconfiguration on the part of the third-party firms. Amazon S3 instances are secure by default and have to be explicitly set to allow public downloading, according to UpGuard's Vickery.

"In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security," UpGuard stated in its blog post. "The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform."

Such misconfiguration should be easily detected by the firms. Scanning services, automated developer testing tools, and other techniques could be used to detect such issues, says Renaud Deraison, chief technology officer and co-founder of Tenable, a cyber defense firm.

"We continue to see headline-grabbing data leaks and breaches that are the direct result of a simple misconfiguration," he says. "And we'll continue to see these issues so long as speed trumps security."

While the company has pushed much of the responsibility for the data exposures to the third-party custodians of the data, Facebook needs to step up, Mukul Kumar, chief information security officer and vice president of cyber practice at security-management firm Cavirin, said in a statement.

"Facebook and others need to go through their records, and reach out to their various partners to secure any customer data," he said. "Given that some of these partners may not have the expertise or may no longer exist, Facebook may need to work directly with the public cloud providers, and if they don't take the initiative, the government should intervene."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/10/2019 | 10:47:24 AM
On Facebook
It has reached the point where anything you put on it IS COMPROMISED - not a question of if or when but IT IS AND THAT'S THAT so only control mechanism is (a) delete account or (b) monitor and scrub any personal data you have on it.  This includes the idiotic posts people make when they are ON VACATION and leave their home empty.  If I were a thief, that is a grand source of data for robbery.  Family members and children also suspect.  Events in life - ALL of this IS compromised and don't complain about it.  Either scrub or delete account, it's that simple. 

Update; i deleted all group memberships save one so that social interests cannot be monitored and passwords guessed from terms within.  I had about 30 groups!!   Wiped them all out save one.  

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...