Facebook expected it, the scraping-based data leakage business is here to stay. The security researcher Alon Gal posted on YouTube a video showing a tool allowing to link email addresses to Facebook accounts, even if the user of the Facebook account does not disseminate this information publicly on his account.
The video shows a tool for automatically associating email addresses with Facebook accounts. The video uploaded by Alon Gal does not contain any audio track, but another researcher who had access to the video Originally posted on Twitter a transcript of the oral comment given by the researcher behind the video. He explains that this tool is able to extract up to 5 million email addresses per day.
According to Motherboard, this tool exploits a vulnerability reported to Facebook by an anonymous researcher. He explains having contacted Facebook to inform them of the vulnerability, but in the absence of a fix from the publisher, he chose to share information about the tool in order to push Facebook to correct the vulnerability. This tool is according to the researcher currently offered on cybercriminal forums, who can use it to retrieve email addresses from Facebook accounts and expand databases gathering data from users of the social network. He specifies that the tool makes it possible to retrieve the email addresses of users who have set the visibility parameter of their email addresses to any parameter other than “only visible to me”.
According to a Facebook spokesperson, the failure to correct this vulnerability stems from an internal error, the company having closed the report of the flaw on its bug bounty platform without transmitting it to the affected team. Facebook says mitigating measures have been implemented to limit the scope of the vulnerability and that its teams are currently studying the researcher’s findings to better understand the bug.
Data scraping in the crosshairs
As with the previous cases of data leaks that affected Facebook, LinkedIn and Clubhouse, the technique used here can be likened to scraping, that is to say the recovery of more or less public data via automated tools. This practice is widespread, but remains a gray area when it comes to data recovery: affected social networks frequently reply that it is public data, which can therefore be freely retrieved and exploited by third parties. In the case of Facebook, however, some of the data retrieved through this is exploited thanks to security vulnerabilities in its social network, which make it possible to bypass the privacy settings chosen by users.
The issue of scraping is also a controversial subject from a legal point of view. In a case dating from 2017, LinkedIn had thus sued the company hiQ, which engaged in the massive collection of public information on its network. American justice had finally ruled in favor of hiQ, believing that public information was freely exploitable by a third party.
In Europe, the GDPR specifies that the use of a user’s personal data cannot be done without their consent. In 2019, the CNIL had carried out several investigations concerning companies specializing in this type of data collection and had observed several breaches of data protection legislation, in particular the lack of information and of obtaining consent from the persons concerned. Either way, wild scraping for malicious purposes and the exploitation of loopholes to bypass privacy settings seem difficult to defend.