A CHROME EXTENSION called Grouply.io allowed marketers to harvest the personal information of members of private Facebook groups.
The loophole was investigated by security researcher Fred Trotter, who had been contacted by Andrea Downing, a moderator of a members-only Facebook group for women with a high genetic risk of developing breast cancer. The Facebook group’s members frequently shared highly personal information about their conditions, including surgical details.
Facebook groups have three accessibility categories: public, closed and secret. In public groups, the list of members and all posts of the group publicly accessible. In closed groups, the messages are private, while secret groups cannot be searched.
The BRCA Sisterhood group used the ‘closed’ rather than the ‘secret’ setting as its moderators wanted posts to be searchable. However, Downing was shocked to discover that the names, employers, locations and email addresses of the group’s members could be downloaded easily by anyone using the Grouply.io extension.
Trotter, a specialist in health data security, found that the Grouply.io extension was taking advantage of a Facebook privacy loophole. He was also able to obtain this information manually without having to use the extension. He reported the issue to Facebook on 29 May.
Facebook denied the glitch was a loophole. As reported by CNBC, the company said: “Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members.
“That work is ongoing and may lead to changes that address some of your concerns going forward.”
On 29 June Facebook closed the loophole and has since changed its privacy policies covering closed groups. The Grouply.io extension is no longer available. µ
Source : Inquirer