Some third-party Facebook apps could be misusing user data for ransomware, spam, and targeted advertising, according to a study by researchers at the University of Iowa. Their work, which hasn’t yet been peer-reviewed, used a tool called CanaryTrap in conjunction with Facebook’s ad transparency tool to detect unrecognized uses of users’ personal data.
Facebook hosts countless third-party apps that have access to potentially billions of accounts containing information like email addresses, dates of birth, gender, and likes. Making matters worse, it’s difficult to detect data misuse by these apps because they store data on servers beyond the purview of Facebook itself.
The coauthors of the study developed CanaryTrap to bring light to this, a tool that employs “honeytokens” containing monitored email accounts to detect unauthorized data use. First CanaryTrap shares a honeytoken with a third-party app, and then the researchers identify advertisers who shared the honeytokens. Advertisers on Facebook can use email addresses to target ads to custom audiences, a capability the coauthors exploited by checking whether advertisers could be recognized as the target apps. If they couldn’t, the researchers’ assumption was that the address (or addresses) had been misused.
Because Facebook’s anti-abuse system thwarts bulk account registration and limits the ability to frequently rotate the addresses associated with accounts, scaling CanaryTrap required designing two frameworks: an array framework and a matrix framework. The array framework rotated addresses while maintaining one-to-one mapping between shared honeytokens and apps, while the matrix framework attributed the app responsible for data misuse while sharing a honeytoken to multiple apps.
Over the course of more than a year, the coauthors applied CanaryTrap to 1,024 third-party Facebook apps. Since Facebook doesn’t provide an index of third-party apps, they sourced a database of 25,800 email address-requesting apps compiled by other researchers, of which they randomly selected the 1,024.
The research team then set up an email server and used a list of popular names to create accounts adhering to the “[email protected]” template (e.g., [email protected]). Next, they registered three Facebook accounts in total, setting the privacy settings such that the accounts’ information, including email addresses, remained private to everyone except for the installed apps.
Sixteen third-party apps shared addresses with unrecognized senders out of the 1,024, according to the coauthors. Of these, nine apps had a disclosed relationship with the senders, which were typically external services (e.g., user authentication services), partner or affiliate websites, or companies that acquired the Facebook app. The remaining seven had an unknown relationship, meaning the senders potentially had access to the user’s data through breaches or leakages on the app’s servers or through secret data-sharing deals.
Sixteen apps out of 1,024 might not sound like a lot. But extrapolating out to the tens of thousands of third-party apps available through Facebook, the implication is that there could be many thousands of apps misusing emails and other personal data.
These are the 16 apps:
- Safexbikes Motorcycle Superstore
- Printi BR API
- Nyx CA
- Tom’s Hardware Guide-IT Pro
- Alex’s first app
- Thailand Property Login
- Hop-on, Hop-Off
- The Breast Expansion Story Club
- Jacky’s Electronics
- uCoz.es Login
The researchers report that three of the apps were responsible for 76 malicious emails, including ransomware scams and Viagra spam. Nine of the apps could be linked to 79 “unrelated” emails including promotional offers, links to product listings, and newsletters — a possible violation of Facebook’s Terms of Service, which requires that apps clearly notify users about data usage by other parties. And two of the apps — Safexbikes Motorcycle Superstore and Printi BR API — showed anecdotal evidence that their host sites were breached.
After they deployed CanaryTrap, the researchers used Facebook’s ad transparency tool to identify 47 unique advertisers that uploaded honeytoken email addresses for ad targeting. Nine were unrecognized, indicating that none of the apps disclosed a relationship with the senders.
In the interest of thoroughness, the researchers attempted to contact 100 app publishers out of those that sent emails. After emailing 87 successfully — 13 couldn’t be reached due to website and delivery errors — they received responses from 45 (52%) of the publishers. Only 29 of those acknowledged they had deleted data or canceled accounts. Of more concern is that 49 out of the 87 continued to send at least one email after the submission of the coauthors’ data deletion request.
In light of their findings, the researchers argue Facebook should mandate that developers implement data deletion request callback into their apps, which would be a user-friendly mechanism for requesting deletion that could help the network audit compliance. “Third-party apps on online social networks with access to users’ personal information pose a serious privacy threat,” they said.
Facebook has a poor track record of preventing apps from improperly accessing users’ data. In 2018, the Guardian revealed that data analytics company Cambridge Analytica improperly obtained the information of up to 87 million Facebook users through a paid personality quiz. Facebook suspended Cambridge Analytica and SCL Group, its parent company, from the platform in mid-March of 2018, after the former used the data to create “psychological profiles” of U.S. voters for ad targeting.
In June 2018, Facebook announced that a bug had resulted in about 14 million Facebook users having their default sharing setting for all new posts set to “public.” And in April 2019, half a billion records of Facebook users were found exposed on Amazon cloud servers, containing information about users’ friends, likes, groups, and checked-in locations, as well as names, passwords, and email addresses.
In response to the Cambridge Analytica scandal and others, last July the U.S. Federal Trade Commission (FTC) imposed sweeping new privacy restrictions on Facebook, including a mandate to suspend third-party apps that don’t certify compliance with the company’s platform policies.
We reached out to Facebook for comment. A spokesperson said the company is reviewing the findings — we’ll update this post once we hear back.