Facebook admits its spam texts to two-factor authentication phone numbers were caused by a bug
Facebook’s Chief Security Officer, Alex Stamos, has announced that a flaw with its two-factor authentication that meant some users were sent notifications by text message was a bug.
In a blog post, he said “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications. It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused.”
Some users who experienced the bug also discovered that when they sent replies to the notifications asking them to stop, their messages were posted to their Facebook walls for everyone to see. According to Stamos, in these instances, the social network’s behavior was not a flaw, but rather functionality the users were simply not aware of.
“For years, before the ubiquity of smartphones, we supported posting to Facebook via text message, but this feature is less useful these days. As a result, we are working to deprecate this functionality soon.”
This excuse still sounds a little fishy to me, since Facebook’s support pages say you need to set up Facebook texts to take advantage of this functionality. As we mentioned in the original story below, Gabriel Lewis, the programmer who highlighted the faults explicitly said he’d never signed up for text messaging.
Having said that, the phone number from which Lewis received the notifications (32665) is the very same number Facebook uses for the text message features, so who knows. The moral of the story is if you don’t want something to appear on your wall, don’t share it with Facebook by accident.
Original story continues below:
Facebook is under scrutiny for two significant flaws in its handling of two-factor authentication.
Two-factor authentication, or 2FA, is used to add an extra layer of security to online accounts. When you log in using a username and password, a second, unique code is generated, often sent by SMS, to stop anyone else from accessing an account.
As reported by The Verge, US software engineer Gabriel Lewis noticed earlier this week that Facebook was sending text notifications to a phone number he’d registered only for receiving these login codes. Significantly, he had never opted to enable text message notifications.
The second flaw, which appears to be a bug, is that when Lewis replied to the texts asking Facebook to stop sending them, his responses were posted to his Facebook wall for all his friends to see. To add insult to injury, the notifications then continued.
The first flaw is, in many ways, more troubling, because it seemingly means Facebook is using users’ phone numbers for marketing purposes without explicit permission. As The Verge points out, this gives ground for legal action in the US, where the Telephone Consumer Protection Act prohibits companies from contacting you in this way without consent.
That’s not to say the implications of the second flaw aren’t also significant. Twitter user David Comdico managed to tell all his family to go to hell inadvertently by replying to the notifications in anger, which is obviously far from ideal.
At this stage, it does appear the flaws are region-specific. It doesn’t appear to be impacting anyone in the UK. What’s more, when I try replying to a login code SMS, the text messages simply fail to send, so nothing appears on my Facebook wall.
READ NEXT: Two-factor authentication explained
Prominent Turkish writer, Zeynep Tufekci, who was outspoken in her criticism of the flaws, asked whether anyone in the EU had been affected, and at the time of writing, nobody has responded to say they have.
Facebook gave us the same statement it gave to The Verge: “We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications.”
The social network did not clarify whether the automatic posting to users’ walls was a bug and it also stated that users can use two-factor authentication without registering a phone number using the “code generator” on the Facebook mobile app.
It’s hard to imagine that either of the flaws are calculated moves on Facebook’s part, especially after Mark Zuckerberg made the new New Year’s resolution to fix the social network’s flaws. The site’s head of Civic Engagement, Samidh Chakrabarti, also recently announced measures to help rebuild users’ trust in the site. Instead, it looks like two bugs have simply come together in the worst of ways.
However, until there’s further clarifcation from Facebook on how users came to receive notifications via the phone number they’ve registered for two-factor authentication, some will inevitably question whether it’s yet another example of the social network’s increasing desperation to drive user engagement.