How Facebook lies about their privacy settings
While I was reading some of Inti De Ceukelaire’s old writeups, I came across “How I got your phone number through Facebook”. Facebook’s reply on his submission was that the “Who can look me up” settings are set to Public.
After reading this, I decided to have a look at the “Who can look me up settings. I set them to “Only me” and started testing whether it does what it is supposed to do. The first thing I did was log out and try the password reset function. I filled in my phone number and there it was, my full name + profile picture. This means the privacy settings are not exactly doing what they should be doing.
I tried this in different browsers and incognito mode to be sure that it’s not just because the browser remembers my account, but this was not the case. I started reading Facebook help pages to find out if they mention this behavior somewhere, but they didn’t.
At this point I straight up thought that Facebook just forgot to apply the privacy settings on this part of their platform. I reported it, and while waiting for a reply, I wanted to test this with my dad’s account, but it didn’t work (Note that I was not home at that point). I turned on a VPN-connection to my VPN-server at home and tried again. This time I was able to see my dad’s full name and profile picture, so it looks like this issue is based on a public IP-address. I mentioned this to Facebook but they simply responded with the following.
As I suspected, they weren’t able to link to any of their help pages like they did on Inti’s submission. So they mention that they clarify at the bottom of the page that they explain why I see my full name. This message was displayed.
The message was displayed on www.facebook.be, but when I browsed to m.facebook.be, they didn’t give me any information. I told this to the triager and asked him if this meant I am still able to look anyone up with their email or phone number as long as I know what public WiFi’s they connect to, and how long this network gets remembered. Because at this point, I can still lookup any other student in my school that has connected to the WiFi before, regardless of their privacy settings.
I also mentioned article 5 of the GDPR to the triager. Section 1.a states
1. Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparancy’);
In this case the data of the subject isn’t being processed in a transparent way at all. If a user changes his “Who can look me up” settings to “Only me”, only he should be able to look himself up, not anyone else and not with any exceptions. And if there are any exceptions, Facebook should at least notify the user about them.
The triager replied that I just described intended functionality and if I have legal concerns I can fill in the Facebook’s feedback form. He did not answer any of my questions.
Since Facebook calls this intended behavior and is not planning on changing this, I decided to write a blog post about it.
Attack scenario
You are the owner of a public Facebook page that posts about local activities and news. You prefer to keep your identity private. On your page you have an email address like “info@page-name.com” this same email address is used to login to your private profile. An attacker visits a few local hotspots and finds one you have connected to before. The attacker uses the forgot password function and is now able to see your full name and profile picture.
I know this kind of attack is rather rare, but it shows that your privacy settings are not as safe as you think they are.
Summary
- The who can look me up functionality does only work for people that have no access to a network you have or had access to.
- Facebook does not make this information public and thus is violating the GDPR law in Europe.
- Even if you set your privacy settings right, their might be some unmentioned exceptions that overwrite your settings.
