Facebook working to fix bug that could expose millions of mobile users to privacy hacks

Eric Pfeiffer
The Sideshow

The producers of a privacy app say they unintentionally have stumbled across a major Facebook bug that makes million of users vulnerable to identify theft from hackers.

“We really didn’t believe it at first,” MyPermissions CEO Olivier Amar told Yahoo News in a phone interview. “Any application that uses Facebook to connect can be shut down.”

Put simply, the bug prohibits users from revoking an app’s access to their personal information on Facebook’s permissions page.

Amar and his team discovered the bug while testing their app, which allows users to control privacy settings on various Facebook games, apps and functions. When they went to the privacy settings for some of the site’s biggest apps, they realized they couldn’t access the user settings.

Nearly half of Facebook users access exclusively their accounts through a mobile phone or tablet and more than 150 applications have privacy permissions pages that could be affected by the bug.

“Think about it like this: you download an app that promises to do one thing, but actually comes from a hacker who wants to seriously invade your privacy by mining your data,” reads a post on the company’s blog. “Given the right coding, this developer could trigger the same effect, basically making it impossible for a user to disconnect this malware app and revoke its permission to access your personal information.”

At first, they thought that simply meant users couldn’t delete certain apps from their phones and tablets. But after stress testing the bug throughout the evening on Wednesday, they discovered the issue was much more serious.

If a hacker replicated the code used in the bug, they could block a user from accessing their own account for several hours, giving the hacker access to a list of contacts, phone numbers, emails and other private information.

“We have a former hacker that works for us,” Amar said. “He told us that this is something he absolutely would have used and that the code could be replicated in less than hour.”

Amar said that after confirming the bug’s existence, his team immediately reached out to Facebook’s privacy team.

“The first thing we did, we went straight to Facebook,” he said. “They did a fantastic job of getting in touch with us very quickly. Facebook takes this very seriously and I’m very impressed by them.”

Neither Facebook nor MyPermissions have publicly said when the bug will be removed but it likely will be gone by the end of Thursday.

Yahoo reached out to Facebook directly for comment. The company said it is not able to publicly comment at this time but pointed us to this post, in which a commenter presumably from Facebook says no on at the company has so far been able to replicate the alleged bug:

"We first learned of this claim a few hours ago. We've been in touch with MyPermissions directly and are waiting to receive more information from them," reads the comment. "At this point, we haven't been able to reproduce the reported issue or validate the existence of a vulnerability."

Facebook has made a number of changes to its privacy settings in recent months and has made several public gestures to assume users that they can directly control and moderate how much of their information is available to the public.

Still, anytime a user voluntarily agrees to share their personal information with an outside app, they are taking some level of risk akin to entering one’s credit card information or other personal info on any number of retail sites.

Amar refused to divulge the process for replicating the bug on the record during our interview, but needless to say, it could be accomplished by someone with a basic knowledge of coding in a short amount of time if they knew where to look.

“We shut down the biggest Facebook applications permissions pages on mobile,” he said. “We were literally doing it 50-100 applications at a time. Within the space of 30 seconds, we could shut down 100 applications at a time.”

Amar said that while he believes the bug is limited to mobile and tablet devices, he said Facebook is testing it on desktops as well to completely eliminate any potential breaches.

And while he and his team are happy to help, he said it’s “a little odd” to be working directly with Facebook when his company’s mission has essentially been to protect users’ privacy from Facebook.

“We really set out to protect users,” he said. We never thought we’re going to end up protecting Facebook.”

Follow Eric Pfeiffer on Twitter