Facebook has recently found itself in controversy after controversy about their data privacy. The leading social media platform hosts a plethora of third-party apps that the users end up using and allow access to information like names, gender, email ids, dates of birth and likes. This means these apps have access to billions of accounts in this manner. These apps store their data on servers that even Facebook doesn’t access to, making it more difficult to detect misuse of data.
A Pakistani researcher, Shehroze Farooqi working at the University of Iowa has found some third-party Facebook apps that could be misusing your data for anything between targeted advertising to ransomware. The team behind the study used the CanaryTrap tool to detect unrecognized uses of users’ personal data. Their work has been accepted to the Privacy Enhancing Technologies Symposium (PETS).
The team behind the study developed CanaryTrap to bring light to this, a tool that employs honeytokens containing monitored email accounts to detect unauthorized data use. First CanaryTrap shares a honeytoken with a third-party app, and then the researchers identify advertisers who shared the honeytokens. Advertisers on Facebook can use email addresses to target ads to custom audiences, a capability the coauthors exploited by checking whether advertisers could be recognized as the target apps. If they couldn’t, the researchers’ assumption was that the address or addresses had been misused.
Farooqi shared the details of the working in a Twitter thread.
Given that Facebook’s system for anti-abuse works around bulk account registration and limits the frequent rotation of the addresses associated with the accounts, in order to scale CanaryTrap it was required to design two frameworks. One is the array framework which rotated addresses while maintaining one-to-one mapping between shared honeytokens and apps. The other framework is the matrix framework which attributes the app responsible for data misuse while sharing a honeytoken to multiple apps.
This research has been spread over the course of more than a year in which the team applied the CanaryTrap to 1,024 third-party Facebook apps. As the social media platform doesn’t provide an index of these apps, the team sourced a database of 25,800 email address requesting apps compiled by other researches, from which the final 1,024 were randomly selected.
Sixteen third-party apps shared addresses with unrecognized senders out of these 1,024, according to the team. Of these, nine apps had a disclosed relationship with the senders, which were typically external services, or affiliate websites, or companies that acquired the Facebook app. The remaining seven had an unknown relationship, meaning the senders potentially had access to the user’s data through breaches or leakages on the app’s servers or through secret data-sharing deals.
In light of these findings, the researchers are of the opinion that Facebook should mandate that developers implement data deletion request callback into their apps. This is a user friendly mechanism that could help the network audit compliance.
Facebook has recently announced additions to its platform terms and developer policies, which will be in effect from 31 August, 2020. As per these new policies there is going to be a limit on the information developers can share with third parties without explicit consent from users, making it their responsibility to safeguard the user data.
For now sixteen apps might not sound like a large quantity but the extensive implication around data security through social media apps is quite significant.