Facebook Marketplace Flaw Revealed Seller's Exact LocationPrivacy Peril: Thieves Use Location Data to 'Shop' for High-Value Items
Facebook has patched a flaw in its digital marketplace that could have been abused to identify the location of a seller, and by extension, their goods.
See Also: 2021: The Cyber-Attack Outlook
Facebook Marketplace, available via both the Facebook app and website, allows users to list items for sale.
"What I discovered would essentially allow thieves to treat Facebook's marketplace as a shopping list," says Moss, who's a senior security consultant at 7 Elements, a security testing and incident response consultancy in Edinburgh, Scotland.
Moss says he verified the problem by creating a listing using Facebook's app, then pinning the location of the item for sale to a hotel in Newcastle.
Without logging into Facebook, Moss then visited the listing and found that it included not only the full postcode - letters and numbers added to a postal address, which function like U.S. ZIP codes - but also the latitude and longitude.
"As someone who has spent the last seven years fighting bike theft in my spare time, I'm especially concerned that thieves could have used this to identify the location of high-value bicycles that are often stored in easy-to-break-into outbuildings," he says (see: Fitness Dystopia in the Age of Self-Surveillance).
Facebook Twice Rejected Flaw Report
Moss said it appears that Facebook never intended to reveal such specific location information. When listing something for sale, for example, Facebook's interface displays a large circle showing "seller location," suggesting that it's approximate.
But he found this wasn't the case with the JSON data, which failed to truncate the postcode. "I would also have expected that Facebook only reveal the first three or four characters of the postcode and not the full thing - or to randomize the location within the circle. Indeed, when Facebook made the fix to prevent this information from being leaked, the above seems to be the approach they took, and now when I try to add an advert, it snaps to a local park."
While the problem has now been fixed, Moss said Facebook rejected his bug report twice, saying it wasn't a security vulnerability.
"Feeling a little bit down, I talked to someone I know who works at Facebook. They were able to get someone to take a more in-depth look at what I was actually reporting, and as a result the report was accepted," he says. "A fix was then quickly implemented after just over a week."
Moss also received a $5,000 bug bounty from the social network.
"We recently received a bug bounty report about an issue in Marketplace which identified a scenario where an attacker could have seen a more precise than intended location for the listing displayed in JSON," a spokesman tells Information Security Media Group. "We fixed the issue, and we're grateful to the security research community for their help keeping the Facebook community safe."
Facebook didn't immediately comment about how long the location-spilling flaw existed and whether it was worldwide, or about the challenges Moss faced when trying to report the problem.
"I first identified the issue on the Feb. 10. I can't say if it was there before that," Moss tells ISMG. "I tested it only in the U.K."
To be clear, Moss says his bug bounty won't be paying for any new bikes. "My long-suffering partner has asked to spend it kitting out our kitchen and a family holiday," he says. "Apparently I'm only allowed so many bikes."
More App Security Problems
This isn't the first time that poor app security has led to users' personal details, including location, being revealed.
- PumpUp in June 2018 confirmed that it had been exposing data about users, including their email addresses, location and workout records, as well as self-reported health information - such as height and weight - and some unencrypted credit card information, including payment card numbers, that had been uploaded to an internet-exposed Amazon server that anyone could access.
- Under Armour's MyFitnessPal app and website: Passwords and other data for 150 million users were stolen by a hacker, the company warned in March 2018. MyFitnessPal is a free smartphone app and website that enables users to track diet and exercise to help with weight loss. It can also be used to track a user's workouts.
- Strava until last year offered global heat maps showing how often users traveled on specific routes while recording their workouts via the company's app, which runs on smartphones and wearables. But the data also appears to have disclosed the layout of top secret facilities and could have been used to identify individuals serving in secret roles.
The problem being researched by Moss is not academic. Indeed, doing an online search for "Strava theft" reveals numerous instances in which fitness aficionados who posted their bicycle outings online found that thieves used them as a way to identify interesting items to steal.
"Members of the public should take care when using apps such as Strava to ensure they do not inadvertently give away private information and locations," Sergeant Rob Danby of England's Humberside Police warned several years ago, saying he'd seen an increase in thefts of bicycles from garages and sheds.
In September 2018, for example, someone stole more than $16,000 worth of high-performance bicycles from Adam Jones's garage in Essex, England, while leaving his wife's clunker behind.
Jones told England's Echo newspaper that he suspected the thief must have been someone who knew him.
"But then after speaking to one of the cycling shops here, the chap said: 'Are you quick and are you on Strava?'" Jones told The Daily Mail.
"I had no idea that what criminals are doing is working out where people are cycling and on what routes, then using that to track where they live," he said. "They are making the correlation between people posting quick times and probably having the better equipment. I was so shocked when I realized what had happened, it must have been like a treasure chest to whoever broke in."
Privacy: Not Always a Default
Apps such as Strava have settings to hide the beginning and end of rides, or to set exclusion zones in which information does not get recorded.
But many users apparently fail to understand or configure such controls.
Another challenge, security experts say, is that some apps - including Facebook - may list a user's real name, as can the choice of an online handle for public listings. Thus, even without location data, the identity and location of anyone who posts an advertisement may not be difficult for an attacker to deduce via an internet search.