iOS 6 Facebook Integration Bug

I have found a serious bug that violates Facebook user privacy policy in the new Apple iOS 6 Facebook Integration feature. What I’ve discovered and explain in detail below suggests that the new Facebook Integration feature is circumventing individual users privacy settings in Facebook and that the feature is directly accessing the entire Facebook user database unfiltered.

In iOS 6 you can now login to Facebook from Settings for greater native integration in Photos, Calendar, and Contact apps. Once you enter in your Facebook login details, a list of apps appear that you can allow access to your Facebook account namely Calendar and Contacts. There is also an Update All Contacts button. I entered my details and hit the Update All Contacts button and looked through my contacts to see what had changed. The system had paired as many of my contacts with their existing Facebook accounts showing those specific contacts Facebook user names (most often the persons full first and last names) and their current profile pictures. I noticed right away that one of my contacts was incorrectly paired so I double checked all of my contacts (200+ give or take). In total there were about 10 misses but I noticed something that didn’t make sense.

I have a lot of contacts I don’t know very well. I only have their first name, and phone number. We absolutely do not know each other well, nor do we have mutual Facebook friends. But my phone was showing me these people’s full Facebook user names (basically their full name) and their profile photos. I recognized them. It was accurate. How could their personal information be pulled through to my phone if they are not friends of mine on Facebook? Underneath the Update All Contacts button it reads:

“Photos and user names are automatically updated for Facebook friends. Choose “Update All Contacts” to temporarily provide Facebook with email addresses and phone numbers from your contacts to update photos and user names for all matching contacts.”

Technically this is occurring however I assumed this feature would match user information between my Contact and Facebook friends list whereas its comparing my Contact list to all of Facebook. As long as the info being pulled in is public there would be no problem. I tested it out. I searched those numbers and not a single one came up. As it sits I can accurately get peoples name and photos with iOS 6 just by having their phone numbers however I am unable to do so from Facebook directly. This clearly confirms that this feature is somehow querying all of Facebook, and not just the information I am capable of accessing using my personal Facebook account whether that information is public or not.

I have other people’s full name, phone numbers whom are also my friend on Facebook. About 30% of this group are publishing their phone numbers to their profile and are visible to me. The other 70% are not publishing their phone numbers to their profile which can only mean their phone number is only visible to them through individual privacy settings. The problem is that I still have access to it through association in iOS 6.  So I started calling people and asking them whether or not their phone number was registered with Facebook and how. The only way to verify a Facebook friend and contact in my phone are the same is through their phone numbers or e-mail address. Every person responded the same; my phone number is registered but its locked to Only Me.

Logic suggests that the native Facebook Integration feature in iOS 6 is somehow circumventing individual users privacy setting preferences in Facebook. I can’t see a friends phone number when I access their account or even search for their account with it even though they are my friend. But I can see their full name and photo just by having their phone number in my phone. This implies that the feature is directly accessing the entire Facebook user database unfiltered.

I did not test this in regards to email addresses. In my case only about 5-10% of my total contact list have email addresses and I left them all out.

It’s very simple to verify this on your own. All you need is an Apple mobile device running iOS 6 that has multiple contacts in it. Go to Settings, enter in your Facebook login details, and hit Update All Contacts. Go into your contact list and systematically check every contact that you only have a phone number for and don’t have on Facebook, and see if any of the contacts sync up. If it happens even once then there is a problem.

In this day and age having someone’s phone number means very little, certainly doesn’t mean your friends.

3 thoughts on “iOS 6 Facebook Integration Bug

  1. I realize half of what I reported above is incorrect in theory due to conversations had with editors at TechCrunch HOWEVER the initial reason this was undertaken still stands;

    I had the phone number of someone I was not friends with on Facebook on my phone and their information was synced to my phone from Facebook when it was later confirmed that persons privacy settings in regards to how their account was found using their phone number and email was set to JUST FRIENDS. Their account should not be linked through since we are not friends based on that persons privacy settings.

    That being the case my argument still stands and needs to be investigated and tested to ensure privacy is being safeguarded in these cross platform integration features.

  2. Obviously you are trying to be sensationalist and not giving all details on various privacy options that facebook provides. In this case ‘who can find you using your phone or email’ – https://www.facebook.com/help/?faq=289191284498161

    Just because you can’t see their phone number of their profiles doesn’t mean you can’t find that person using the phone number. And if you didn’t know of this setting to begin with, it’s hard to believe those you were trying to find ever changed this privacy setting on their accounts – which defaults to ALLOW.

  3. I just addressed that, lol. I’m not trying to sensationalize anything. That was what was disproved by my talks with TechCrunch. However what I managed to prove afterwards still stands even with that considered, with both privacy setting options.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s