Facebook working to fix bug that exposes millions of mobile users to privacy hacks

The producers of a privacy app say they have unintentionally stumbled across a major Facebook bug that makes millions of users vulnerable to identify theft from hackers.

“We really didn’t believe it at first,” MyPermissions CEO Olivier Amar told Yahoo News in a phone interview. “Any application that uses Facebook to connect can be shut down.”

Put simply, the bug prohibits users from revoking an app’s access to their personal information on Facebook’s permissions page.

Amar and his Israel-based team discovered the bug while testing their app, which allows users to control privacy settings on various Facebook games, apps and functions. When they went to the privacy settings for some of the site’s biggest apps, they realized they couldn’t access the user settings.

Nearly half of Facebook users access their accounts exclusively through a mobile phone or tablet, and more than 150 apps have privacy permissions pages that could be affected by the bug.

“Think about it like this: You download an app that promises to do one thing, but actually comes from a hacker who wants to seriously invade your privacy by mining your data,” reads a post on the company’s blog. “Given the right coding, this developer could trigger the same effect, basically making it impossible for a user to disconnect this malware app and revoke its permission to access your personal information.”

At first, they thought that simply meant users couldn’t delete certain apps from their phones and tablets. But after stress testing the bug throughout the evening on Wednesday, they discovered the issue was much more serious.

If a hacker replicated the code used in the bug, they could block users from accessing their own account for several hours, giving the hacker access to a list of contacts, phone numbers, emails and other private information.

“We have a former hacker that works for us,” Amar said. “He told us that this is something he absolutely would have used and that the code could be replicated in less than hour.”

Amar said that after confirming the bug’s existence, his team immediately reached out to Facebook’s privacy team.

“The first thing we did, we went straight to Facebook,” he said. “They did a fantastic job of getting in touch with us very quickly. Facebook takes this very seriously, and I’m very impressed by them.”

Yahoo News reached out to Facebok for comment on the story. Neither Facebook nor MyPermissions have publicly said when the bug will be removed, but it likely will be gone by the end of Thursday.

Facebook has made a number of changes to its privacy settings in recent months and has made several public gestures to assure users that they can directly control and monitor how much of their information is available to the public.

Still, anytime users voluntarily agree to share their personal information with an outside app, they are taking some level of risk akin to entering one’s credit card information or other personal info on any number of retail sites.

Amar refused to divulge the process for replicating the bug on the record during our interview, but needless to say, it could be accomplished by someone with a basic knowledge of coding in a short amount of time if he or she knew where to look.

“We shut down the biggest Facebook applications permissions pages on mobile,” he said. “We were literally doing it 50-100 applications at a time. Within the space of 30 seconds, we could shut down 100 applications at a time.”

Amar said that while he believes the bug is limited to mobile and tablet devices, he said Facebook is testing it on desktops as well to completely eliminate any potential breaches.

And while he and his team are happy to help, he said it’s “a little odd” to be working directly with Facebook when his company’s mission has essentially been to protect users’ privacy from Facebook.

“We really set out to protect users,” he said. "We never thought we’re going to end up protecting Facebook.”

Follow Eric Pfeiffer on Twitter