Story image

Facebook is finally making changes to its data sharing controls - but is it too little, too late?

06 Apr 2018

Facebook’s chief technology offer has admitted that most users of the world’s biggest social network could have been subjected to data scraping from malicious cyber attackers.

The attackers could have used Facebook’s search and account recovery features to connect the dots between emails, phone numbers and the person they belong to – an abuse of a legitimate feature that has now been disabled.

“Malicious actors have… abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery,” comments Mike Schroepfer.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”

The revelation comes as the massive Cambridge Analytica fallout continues – with latest statistics suggesting 87 million users and more than 300,000 Australian users’ data could have been caught up in improper data sharing.

Facebook has been left scrambling to clean up its privacy policies and may be subject to legal action from people who believe their data has been improperly treated. It could also be a case of too little, too late for many disgruntled Facebook users.

The new wave of Facebook changes include restricting app access to the Events, Groups, Instagram, and Pages APIs; Facebook logins; search and account recovery; call and text history; partner categories; and app controls.

Here is a summary of each category’s changes as explained by Schroepfer:

Events API: Until today, people could grant an app permission to get information about events they host or attend, including private events. Starting today, apps using the API will no longer be able to access the guest list or posts on the event wall. And in the future, only apps we approve that agree to strict requirements will be allowed to use the Events API.

Groups API: Currently apps need the permission of a group admin or member to access group content for closed groups, and the permission of an admin for secret groups.

Going forward, all third-party apps using the Groups API will need approval from Facebook and an admin to ensure they benefit the group. Apps will no longer be able to access the member list of a group. And we’re also removing personal information, such as names and profile photos, attached to posts or comments that approved apps can access.

Instagram Platform API: We’re making the recently announced deprecation of the Instagram Platform API effective today.

Pages API: Until today, any app could use the Pages API to read posts or comments from any Page. We want to make sure Page information is only available to apps providing useful services to our community. So starting today, all future access to the Pages API will need to be approved by Facebook.

Facebook Login: Starting today, Facebook will need to approve all apps that request access to information such as check-ins, likes, photos, posts, videos, events and groups. We’re tightening our review process — requiring these apps to agree to strict requirements before they can access this data.

We will also no longer allow apps to ask for access to personal information such as religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity.

In the next week, we will remove a developer’s ability to request data people shared with them if it appears they have not used the app in the last 3 months.

Search and Account Recovery: Until today, people could enter another person’s phone number or email address into Facebook search to help find them. We have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.

Call and Text History: Call and text history is part of an opt-in feature for people using Messenger or Facebook Lite on Android. We’ve reviewed this feature to confirm that Facebook does not collect the content of messages — and will delete all logs older than one year. In the future, the client will only upload to our servers the information needed to offer this feature — not broader data such as the time of calls.

Data Providers and Partner Categories: Last week we announced our plans to shut down Partner Categories, a product that lets third-party data providers offer their targeting directly on Facebook.

App Controls: Starting on Monday, April 9, we’ll show people a link at the top of their News Feed so they can see what apps they use — and the information they have shared with those apps. People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica.

IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.