Facebook exposed private lists of users' friends to app developers without their knowledge until two weeks ago, despite claiming to have blocked this functionality three years ago.
The loophole allowed apps to collect the friend lists of anybody who had installed the app, exposing their names and profile photos. Facebook quietly switched the "taggable friends" interface off on April 4, burying the announcement among a series of other privacy measures.
The revelations are the latest privacy blow to the social network, which has come under fire for enabling app makers to pool personal information of millions of unknowing users.
The data were later sold to companies such as Cambridge Analytica, and allegedly employed by Donald Trump and Ted Cruz's presidential campaigns.
In 2014, Facebook was made aware that an app developed by a Cambridge University academic had been scooping up personal details on not only those who installed it but all of their friends, culminating in what Facebook estimated to be a database of 87 million people.
In the same year, it stopped developers from being able to access friends' data, such as their relationship status and the pages they had liked.
It also blocked developers from collecting a list of all a user's friends' names. In Mark Zuckerberg's testimony to US Congress, he said: "In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the Facebook -information apps could access. Most importantly, apps like Kogan's could no longer ask for information about a person's friends unless their friends had also authorised the app".
However, Facebook failed to shut down the taggable friends feature in 2014, which granted similar access. This meant apps were able to mine information including photos and names for another three years.
By default, Facebook profiles allow users to "tag" their friends in pictures and status updates, and the feature must be switched off manually. Since the majority of users do not change their default settings, anybody who installed a Facebook app, such as a quiz or personality test, exposed most of their friends' names.
Facebook has not revealed how many developers had access to this API or whether it has any evidence of abuse. When the Cambridge Analytica debacle came to light, it warned that it was aware of "malicious actors" who may have abused its systems to create profiles of people without their knowledge.
While the taggable friends feature would not grant as rich a data set as ones accessed before 2014, it may have provided a starting point for a firm or researcher to target them for further collection.
It could be used to calculate things such as credit risk, based on what friends had in common, as well as political influence by association.
Bryan Carney, a journalist and developer who first alerted Facebook to the bug, said that he was able to pull his entire friend list through the loophole and noticed hackers discussing how to use the information on web forums. Mr Carney alerted Facebook through its bug bounty programme.
-Â The Daily Telegraph
Take your Radio, Podcasts and Music with you
