Last Friday, Facebook disclosed a bug fix which exposed the shadow profile activity of the social network.
Packet Storm Security who analysis the security issues of the network has said that they are composing frightening dossiers for both the account holders and the non-account holders.
Packet Storm has discovered the vulnerability in the security system of Facebook and they have reported it to the Admin.
After long dialogues between the researches and the Facebook Admin, the researches team was asked to show with authentic reasoning or evidence that the security issue has not been built out of any malicious thinking and is just an oversight.
Since 2012, the admin of Facebook without any intention has gone on to combine the users Facebook profiles with their shadow profiles and has also gone on to share them with the user’s friends that are utilizing the Facebook DYI tool. When someone opens the archives for download, it contains a file which is termed as adressbook.html. The file contains the contact information that you upload.
Due to the flaw in the technique which Facebook has used for the implementation of the above mentioned process, it also gathered the contact information which is uploaded by other users related to the same person if one had any similar data, causing to build huge dossiers on other people.
Testing has shown that when one email is uploaded for any individual, it results in dozens of additional contact information. Noteworthy here is that the collection of such information goes with all the uploaded data, regardless of the fact that whether a contact is a Facebook user or not.
Many people who came to known that they are having a shadow profile which also contains information that they have not given to Facebook e.g. cell numbers, got very surprised and a bit angry.
Facebook in response to such people pointed towards their policy related to email collection and they said that the data is voluntarily uploaded by those people who are the friends of the users.
The real alarming situation came to the scene when the research team i.e. packet storm has indicated towards the risk that such shadow profiles have exposed and when they went to Facebook with their concerns.
The fact is that a user has no control on the additional data and information that is stored on the Facebook’s system. The questions which were asked by the research team were quite balanced and reflected the reservations for the user safety and usability.
The first question that was asked was that whether Facebook will discard or do away the information of the people that are not known to have any Facebook account. They can possibly do it by wiping out it within a few days after the request for invite which has been uploaded by the friend of a person is not responded to.
Facebook responded that the data which is uploaded by any user is at their own discretion and the person uploading it can do whatever he/she wants with it. In other words, they have said that the data is of the person who uploads it. The team also asked that whether Facebook would devise a privacy policy through which they will delete all the information or the data related to a person which has been uploaded by a third party and is not matching the data which the person has set in his/her profile or is against the privacy policy which has been set by the person.
In their response, Facebook almost came with a statement that such a restriction would be the violation of the freedom of speech. So what they are basically trying to suggest is that your data is almost at the discretion of your friends and the people whom you known.
Packet Storm has however praised Facebook for swift fixing of the bug.
The company has laid stress on the fact that it is not the Facebook’s security that has been broken, it is in fact the privacy policy of the company which has been violated and the disclosure of this fact is just to protect the user and not to damage the repute of the company.
Shadow profiles have become a serious issue because even if you do not join the social network, your shadow profile might still be up there containing your personal information. You can now get an idea about why the data on Facebook is of so much importance to advertisers, app makers, government and malicious entities.
Packet storm has written that it is now quite evident that Facebook contains correlated data and if does not, then such data can be uploaded, can be utilized for malicious activities and can subject people to risks of illegal activities.
Facebook has though claimed that they will not in any case disclose the additional information if any request is received from the government but still it’s a big threat.
Packet storm has suggested that the remedy for such a situation is a legislation that can restrict the illegal uploading of information. Not many governments are laying stress towards such issues. Maintaining the privacy of a person’s data is important from a security point of view and provisions should be made in this regard.
Still there is no protection related to shadow profiling and related to searching of other people’s information on websites. We still do not have any mandate for identifying and removing information.
Hopefully Facebook will make the required provisions for correcting their policy and procedures and will take the right step to address these issues.
Comments are closed.