Facebook has quietly revealed another privacy breach involving approximately 100 developers. On Tuesday, Konstantinos Papamiltiadis, Facebook’s Director of Platform Partnerships said in a blog post that the names and profile pictures of users connected to Groups and the system’s API were accessible.
Before April 2018, group administrators could authorize an app for a group they managed, giving the application developer access to this information. Despite restricting information access to just the group’s name, the number of users, and post content — unless users opted-in to share their name and profile picture — in April last year, Facebook says that some apps retained access to this additional data until recently, ZDNet reported today.
Another major FACEBOOK data breach resulting from poor API Access security controls. API Access should be treated as privileged and any access to API’s should follow privileged access management best practice security to ensure that access is approved and authorized. APIs typically allow automation and integration to ensure that applications can perform the tasks to function properly however many companies focus on making them available quickly and on ease of use then try plugging security controls into them after they have already been available for long periods of time. In some instances when security is more difficult companies have to change the way the API works or revoke the access to the API altogether which is what FACEBOOK have done in this latest privacy failure. FACEBOOK must prioritize privileged access management best practices and apply the principle of least privileged to all new services as well as existing services. It might be a good time to get Mark Zuckerberg a gift-wrapped copy of my latest book called Least Privilege Cybersecurity for dummies as FACEBOOK might learn something about security and privacy by reading this book.
In my view, Facebook was reviewing their policies and how they were implemented, then came across an unintended flaw in their APIs that allowed certain developers access to information that they now restrict. From Facebook’s explanation on their blog, most of these apps were designed to help manage people within a group. The most important thing to remember here is that the original group administrator had to add and approve these applications, they also had access to the restricted data. Now Facebook has made a change to their privacy policy and is ensuring that applications adhere to that policy. From a consumer standpoint, this should be an indicator to go and check the groups that you belong to, make sure you agree with the apps the group administrator has granted permissions to use and ask to find out what types of data those apps have access to. If you disagree with the group’s privacy, then remove yourself from the group so they will stop having access to it. It is important that consumers stay vigilant when it comes to their privacy.
As Facebook have demonstrated over the years, maintaining a matrix of permissions for any account is challenging. This comes not only from how privacy expectations are communicated and set, but through how they might be verified. Looking specifically at Groups, while a Group administrator might authorize an application to access certain aspects of their Group, individual users might have a different preference. As feature changes occur, it’s not uncommon for legacy settings to be grandfathered for a period of time, but when the feature involves a privacy setting such a grandfather policy can become problematic.
Given the pace of feature development on social media platforms, and the complexity of social networks, users must rely on the social media platforms to place their privacy expectations above all else. This can and should include a concise page showing what data is both explicitly or implicitly available to which application, data service, Group, or User. Additionally, when settings change or new entities gain access to data, users should be alerted to the change. Armed with this information in a concise manner, individual users can then become active participants in managing their personal data and abuses at any level can be readily identified without requiring a government mandate on the social media platform to perform a privacy review.