Facebook is sorry for text spamming 2FA users, blamed it on a bug

Facebook claimed a ‘bug’ was responsible for sending text spam to phone numbers provided by two-factor authentication (2FA) users.

Facebook is sorry for text spamming 2FA users, blamed it on a bug
Rob Schultz/IDG

While two-factor authentication (2FA) does not guarantee account security — social engineers can talk their way around it — it is wise to enable that extra layer of security. However, any company entrusted with a phone number for 2FA purposes should not decide to engage users by pushing out any other type of notifications to the phone.

Facebook crossed that line recently, blaming text message spams on a "bug" and has apologized.

Numerous people have been complaining about Facebook spamming them with random notifications via the phone number provided when turning on 2FA. Spam sent included things such as status updates, shared links or comments. If people replied to the spam notification, texted back something like “STOP,” then their replies were autmatically posted on their walls.

One of the most widely cited examples came from software engineer Gabriel Lewis.

On Friday, Facebook CSO Alex Stamos apologized for spamming people who signed up for 2FA with non-security related SMS notifications. He rightfully explained that 2FA is “an important security feature,” while also pointing out that users have control over notifications. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications.”

Stamos wrote:

It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.

Was it really a bug?

Yet there is some debate as to if this was even a “bug.” Johns Hopkins University professor Matthew Green tweeted:

Green also pointed out that Facebook’s spam looked “exactly like real 2FA login attempts when you phone screen is locked,” prompting people to check it. He added, “This in turn drives decision fatigue for users, which can harm security across all of the accounts they use. ‘Oh, just more FB spam, I’ll ignore that’.”

Other folks are adamant about it being a bug.

As to why people’s replies to the notifications were being posted as status updates on Facebook, Stamos explained that Facebook has long supported posting via text message.

“This feature is less useful these days” and Facebook is “working “to deprecate this functionality soon,” he said.

Lauren Weinstein, found of the Privacy Forum, and co-founder or both the Network Neutrality Squad and the People for Internet Responsibility, suggested, “What’s most revealing here is what this situation suggests about Facebook’s own internal privacy practices. Proper proactive privacy design would have compartmentalized those phone numbers and associated data in a manner that would have prevented a ‘bug’ like this from ever triggering such abuse of those numbers. Facebook’s sloppiness in this regard has now been exposed to the entire world.”

Weinstein wondered what other systemic privacy design failures would result in “bugs” that Facebook could exploit to “harass innocent” users.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline