The Indian Computer Emergency Response Team (CERT-In), the government-run nodal authority on cybersecurity, on Monday, put out an advisory about the data scraping of Facebook users.
Several news reports from earlier this month had claimed that the data of 533 Mn Facebook users had been leaked on hacker forums. Of these, 6 Mn were Indian users. The leaked details include users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and in some cases, their email addresses as well. The social media giant told media agencies that the leak was related to a vulnerability that the company had patched in 2019.
The CERT-In advisory put the number of affected accounts at 450 Mn but maintained that 6 Mn Indian users have also been affected by the data leak. The advisory stated that according to Facebook’s explanation, threat actors scraped the data prior to September 2019 by using the social media platform’s ‘Contact Importer’ feature, which allows users to find other users by using their phone numbers.
“Facebook stated that this feature was changed in September 2019, following the discovery that threat actors were abusing the feature. However, while Facebook modified the feature in 2019 to thwart this type of abuse, the phone numbers of 450 Mn global users had already been harvested by malicious actors, along with other identifying information on users,” read the advisory.
Web scraping refers to the process of using automated scripts or bots for harvesting publicly available information from any site, such as the details that Facebook users make visible to the public on their profile.
Cybercriminals usually scrape data for social engineering purposes, but also sell it on dark web marketplaces or even call centres, who in turn use it for ‘spamming’ unsuspecting users.
To help users guard their data against such cyber attacks in the future, CERT-In has advised Indian users to update their Facebook privacy settings by choosing to make the information on their profile visible only to their ‘Friends’ and not to the ‘Public’. The authority further advised users to review all of their Facebook privacy settings, turn on login alerts and enable two-factor authentication wherever available.
Recently, CERT-In also put out an advisory about a severe WhatsApp bug in an earlier version of the messaging application. The advisory rated ‘Severe’ by the authorities at CERT-In explained that “Multiple vulnerabilities had been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system.”
The vulnerability was detected in “WhatsApp and WhatsApp Business for Android prior to v188.8.131.52 and WhatsApp and WhatsApp Business for iOS prior to v2.21.32.”
Responding to the development, a WhatsApp spokesperson told Inc42 that the bugs have been addressed by the platform with its latest update: “We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages. As is typical of software products, we’ve addressed two bugs that existed on outdated software, and we have no reason to believe that they were ever abused. WhatsApp remains safe and secure, and end-to-end encryption continues to work as intended to protect people’s messages.”