As company executives try to rebrand Facebook as a privacy company, the company still seems to be trying to cultivate a privacy culture internally and with third-party developers. As Kevin Poulson of Daily Beast reported on April 2, some new Facebook users have been asked to provide both their email address and their email password for registering accounts.
And on the blog today, cloud-safety researchers UpGuard has reported that they have discovered two publicly available Facebook user-generated caches created by third-party applications that are connected to the Facebook platform. Both caches were placed in the Amazon Web Services (S3) easy storage service in the public cloud AWS.
Email password practice was first noticed by a software developer and information security expert who follows the E-sushi handle:
Hey @facebook requiring a secret password Your personal user email accounts for verification, or any other use, is a VERY idea from #infosec point of view. Passing along this road, you are practically catching passwords that you do not need to know! pic.twitter.com/XL2JFk122l
– e-sushi (@originalesushi) March 31, 2019
Requests were made to users with many webmails. Gmail from Google was not among them, as Facebook used OAuth to check Gmail accounts, so password verification is not required by e-mail.
In response to Daily Beast, a Facebook spokesperson said that email passwords are not stored on Facebook. But given the previous Facebook problems with password entry and other personal data, this statement can be met with healthy skepticism.
The Facebook spokesman also said that the company ceased to practice the request for email passwords for webmail accounts. The test of Ars Technica today confirmed that – by using email accounts on Mail.com and other webmail services, we registered accounts and instead received an email request for the code to be sent to the specified e-mail address.
Custom Data Exposures, published by UpGuard, were connected to applications affiliated with two different Facebook companies. First, the Cultura Colectiva, the Mexican media company, was a 146-gigabyte store that contained over 540 million entries, including Facebook account IDs and their associated reactions, "lits" and comments. . UpGuard researchers compared the amount of content with what was collected by Cambridge Analytica.
The second cache, also found in the Amazon S3 segment, was a backup of the database of an integrated Facebook application called "In the Pool." the researchers report. The database included column labels that offered data, including Facebook user IDs, names, friends, events, photos, events, groups, location data, and other profile information, including your favorite music, books, movies and interests. There was also a "password" column, but the passwords were "likely for the" On the Pool "program, not for the Facebook user account," said UpGuard researchers. However, these passwords can be risky if they are exposed, especially if they were reused in other accounts.
S3 boxes containing data were closed or protected. However, for the Cultura Colectiva store, it took almost four months from the date of the first opening for the store. Culture Colectiva never responded to letters that informed them about the data displayed. Until today, when Facebook was contacting a journalist about comments on a comment request, this was secured. A backup for the On Pool application was translated offline before the UpGuard can notify the developers; the program is no longer active and the company that owns the application may cease to exist.
Both of these cases show that while Facebook has promised to restrict developers' ability to remove personal data from their service after the Cambridge scandal, they are still third parties that have access to large amounts of Facebook data. And Facebook does not have to take police action to keep that data in spite of new company policies.