This series of vulnerabilities or errors in the popular social network have a particularity: Facebook considers that they are important functionalities within its environment and, therefore, cannot be eliminated.
Initially, on July 18, a Spanish researcher discovered a vulnerability that allows an open redirection from the mobile platform of the social network (m.facebook.com).
This is that, by carrying out a simple procedure, it is possible to trick the user into thinking that he is entering Facebook when, in reality, he may be entering another site. Criminals could use this method to commit fraud and scams on the Internet.
Facebook admitted to this anomalous behavior but said "it lies in a functionality they need and therefore prefer to take the risk."
As a result of this discovery, another Chilean researcher published the way in which it is possible to obtain in an automated way (making thousands of queries simultaneously and without control) if a user is registered in the social network, simply knowing their email or telephone number.
Again, the company expressed that "this ability to locate friends through mail is part of the core of Facebook and while it may be a vulnerability in a financial site, here it corresponds to a functionality of the network."
Paradoxically, coinciding with these findings, Facebook launched the "Bug Bounty" program whose objective is to pay $ 500 to those who discover critical vulnerabilities in the platform, similar to what Google has done since 2010.
Cristian Borghello, stressed to iProfesional.com: "Needless to say, neither of the two previous discoveries was rewarded, because they have not even been recognized as failures."
Also at the end of July, in Spanish-speaking countries began to circulate a message informing that the Facebook application for all smartphones shares (still does) the personal agenda of the user, by default and without informing him: "Attention, for reasons that are unknown, all smartphones share the information of the personal agenda of one with the company Facebook, see for yourselves."
Indeed, when you install the app, Facebook automatically stores (does not share, as incorrectly reported) contact information, profile pictures and calendar in order to connect its users at some point. In this regard, Facebook on its website informs:
"Activating this feature will periodically send copies of your BlackBerry device contacts to Facebook Inc. to link and connect with your Facebook friends. Profile pictures and information about you and your friends on the social network will also be periodically sent from your Facebook to your BlackBerry contact list and calendar. You agree that access to this data (e.g. via apps) will no longer be subject to your privacy settings and that of your Facebook friends once it is stored on your BlackBerry device."Facebook, through its fan page, has denied the "rumors" that this information is shared publicly and has said that "the possibility of seeing the agenda has been around for a long time and has been designed to show a single list of contacts instead of having to visit each profile".
For Borghello, "this statement is true, since the information is not shared openly for everyone, but it has long been taken from the phone and stored on the Facebook platform, without properly communicating it to the user."
The computer specialist pointed out that the contents already shared "can be deleted and this 'functionality' can be disabled, but whoever does not pay attention to this fact, when installing the application will be openly sharing all the information and, what is even worse, will also be providing it to the social network, without the corresponding permission of its owners".
To correct this you must enter the social network through the smartphoneand there is an option that must be disabled. The access address is: https://www.facebook.com/friends/edit/?sk=phonebook
For Borghello, "the reason for considering as vulnerability to a supposed functionality lies in the point from where such anomalous behavior is observed":
Facebook sees it from the additional advantages that the user acquires when using this functionality or from the benefits obtained by the social network, without forgetting its economic reasons and that its creator has declared that "he does not believe in privacy or intimacy".
"The people who develop our activity in security see it from the point of view of user privacy and how it is overwhelmed, simply to obtain a questionable advantage and that, anyway, could be generated in another more reliable way," said the specialist.
"Regardless of whether the aforementioned findings should be considered functionalities or vulnerabilities, the most important thing to note is that, according to the company, these behaviors, and surely many others, obey the growth of the social network, which is obviously above the privacy of the user, who is the one who ultimately ends up paying for their access, believing that it is free." Borghello concluded.
Source: iProfesional and ZMA
