Facebook privacy loophole allowed personal data of 'closed' group members to be downloaded

Grouply.io Chrome extension allowed sensitive data to be accessed by marketers

A Chrome browser extension called Grouply.io allowed marketers to harvest the personal information of members of private Facebook groups.

The loophole was investigated by security researcher Fred Trotter. Trotter had been contacted by Andrea Downing, a moderator of a members-only Facebook group for women with a high genetic risk of developing breast cancer. The Facebook group's members frequently shared highly personal information about their conditions, including surgical details.

Facebook groups have three accessibility categories: public, closed and secret. In public groups, the list of members and all posts of the group publicly accessible. In closed groups, the messages are private, while secret groups cannot be searched.

The BRCA Sisterhood group used the 'closed' rather than the ‘secret' setting as its moderators wanted posts to be searchable. However, Downing was shocked to discover that the names, employers, locations and email addresses of the group's members could be downloaded easily by anyone using the Grouply.io extension.

Trotter, a specialist in health data security, found that the Grouply.io extension was taking advantage of a Facebook privacy loophole. He was also able to obtain this information manually without having to use the extension. He reported the issue to Facebook on 29 May.

Facebook denied the glitch was a loophole. As reported by CNBC, the company responded on 20 June with the following statement.

"Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward."

On 29 June Facebook closed the loophole and has since changed its privacy policies covering closed groups. The Grouply.io extension is no longer available.

The case demonstrates the risk using Facebook and other platforms whose business model is monetising personal data and whose terms and conditions are constantly changing for sharing sensitive information.