Application Security , Big Data Security Analytics , Governance

Facebook Marketplace Flaw Revealed Seller's Exact Location

Privacy Peril: Thieves Use Location Data to 'Shop' for High-Value Items
Facebook Marketplace Flaw Revealed Seller's Exact Location
Data returned by Facebook Marketplace listings created via Facebook's app included a seller's exact latitude and longitude. (Source: John Moss)

Facebook has patched a flaw in its digital marketplace that could have been abused to identify the location of a seller, and by extension, their goods.

See Also: Live Webinar | Unlocking CIAM - the secret to balancing frictionless registration and high data integrity

Facebook Marketplace, available via both the Facebook app and website, allows users to list items for sale.

Researcher John Moss was researching how he might scrape the Facebook Marketplace for information that could be useful for helping to recover stolen goods. But when researching the location data that the marketplace provided, he found that the JSON - JavaScript object notation - responses for advertisements that had been created with the Facebook mobile app were not approximate. Instead, Moss says in a blog post, the data included precise latitude and longitude coordinates.

Moss said Facebook's statement that "location is approximate to protect the seller's privacy" was not always accurate.

"What I discovered would essentially allow thieves to treat Facebook's marketplace as a shopping list," says Moss, who's a senior security consultant at 7 Elements, a security testing and incident response consultancy in Edinburgh, Scotland.

Moss says he verified the problem by creating a listing using Facebook's app, then pinning the location of the item for sale to a hotel in Newcastle.

Moss created his own listing to verify the problem, pinning the location to a hotel in Newcastle upon Tyne, in northeast England.

Without logging into Facebook, Moss then visited the listing and found that it included not only the full postcode - letters and numbers added to a postal address, which function like U.S. ZIP codes - but also the latitude and longitude.

The JSON data contained in the listing returned exact coordinates for the hotel Moss chose as his own location when he listed the item for sale.

"As someone who has spent the last seven years fighting bike theft in my spare time, I'm especially concerned that thieves could have used this to identify the location of high-value bicycles that are often stored in easy-to-break-into outbuildings," he says (see: Fitness Dystopia in the Age of Self-Surveillance).

Facebook Twice Rejected Flaw Report

Moss said it appears that Facebook never intended to reveal such specific location information. When listing something for sale, for example, Facebook's interface displays a large circle showing "seller location," suggesting that it's approximate.

JSON previously returned by Facebook's Marketplace. (Source: John Moss)

But he found this wasn't the case with the JSON data, which failed to truncate the postcode. "I would also have expected that Facebook only reveal the first three or four characters of the postcode and not the full thing - or to randomize the location within the circle. Indeed, when Facebook made the fix to prevent this information from being leaked, the above seems to be the approach they took, and now when I try to add an advert, it snaps to a local park."

While the problem has now been fixed, Moss said Facebook rejected his bug report twice, saying it wasn't a security vulnerability.

"Feeling a little bit down, I talked to someone I know who works at Facebook. They were able to get someone to take a more in-depth look at what I was actually reporting, and as a result the report was accepted," he says. "A fix was then quickly implemented after just over a week."

Moss also received a $5,000 bug bounty from the social network.

"We recently received a bug bounty report about an issue in Marketplace which identified a scenario where an attacker could have seen a more precise than intended location for the listing displayed in JSON," a spokesman tells Information Security Media Group. "We fixed the issue, and we're grateful to the security research community for their help keeping the Facebook community safe."

Facebook didn't immediately comment about how long the location-spilling flaw existed and whether it was worldwide, or about the challenges Moss faced when trying to report the problem.

"I first identified the issue on the Feb. 10. I can't say if it was there before that," Moss tells ISMG. "I tested it only in the U.K."

To be clear, Moss says his bug bounty won't be paying for any new bikes. "My long-suffering partner has asked to spend it kitting out our kitchen and a family holiday," he says. "Apparently I'm only allowed so many bikes."

More App Security Problems

This isn't the first time that poor app security has led to users' personal details, including location, being revealed.

  • PumpUp in June 2018 confirmed that it had been exposing data about users, including their email addresses, location and workout records, as well as self-reported health information - such as height and weight - and some unencrypted credit card information, including payment card numbers, that had been uploaded to an internet-exposed Amazon server that anyone could access.
  • Under Armour's MyFitnessPal app and website: Passwords and other data for 150 million users were stolen by a hacker, the company warned in March 2018. MyFitnessPal is a free smartphone app and website that enables users to track diet and exercise to help with weight loss. It can also be used to track a user's workouts.
  • Strava until last year offered global heat maps showing how often users traveled on specific routes while recording their workouts via the company's app, which runs on smartphones and wearables. But the data also appears to have disclosed the layout of top secret facilities and could have been used to identify individuals serving in secret roles.

'Strava Theft'

The problem being researched by Moss is not academic. Indeed, doing an online search for "Strava theft" reveals numerous instances in which fitness aficionados who posted their bicycle outings online found that thieves used them as a way to identify interesting items to steal.

"Members of the public should take care when using apps such as Strava to ensure they do not inadvertently give away private information and locations," Sergeant Rob Danby of England's Humberside Police warned several years ago, saying he'd seen an increase in thefts of bicycles from garages and sheds.

In September 2018, for example, someone stole more than $16,000 worth of high-performance bicycles from Adam Jones's garage in Essex, England, while leaving his wife's clunker behind.

Jones told England's Echo newspaper that he suspected the thief must have been someone who knew him.

"But then after speaking to one of the cycling shops here, the chap said: 'Are you quick and are you on Strava?'" Jones told The Daily Mail.

"I had no idea that what criminals are doing is working out where people are cycling and on what routes, then using that to track where they live," he said. "They are making the correlation between people posting quick times and probably having the better equipment. I was so shocked when I realized what had happened, it must have been like a treasure chest to whoever broke in."

Privacy: Not Always a Default

Apps such as Strava have settings to hide the beginning and end of rides, or to set exclusion zones in which information does not get recorded.

But many users apparently fail to understand or configure such controls.

Another challenge, security experts say, is that some apps - including Facebook - may list a user's real name, as can the choice of an online handle for public listings. Thus, even without location data, the identity and location of anyone who posts an advertisement may not be difficult for an attacker to deduce via an internet search.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.