[omnimike]

> Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do.

From the article it appears that the contact importer is an API endpoint which returns a set of Facebook profiles given a set of phone numbers. In that sense, it did exactly what the developer intended.

If I write a script to query google.com and get a response back you could say I'm not using google search as intended, but most software engineers would laugh at me if I claimed to have "hacked" Google in this way.

[tyingq]

See this from Sep, 2019: https://www.forbes.com/sites/zakdoffman/2019/09/12/new-insta...

"Facebook confirmed to me that the vulnerability was genuine, that the exploit would enable a “bad actor” to connect phone numbers and user details, and that it has prompted changes to be made. They pointed out to me that the exploit process is “complex,” but nonetheless did leave the platform open to abuse and put users at risk."

[xmodem]

At a certain level the question is academic, and lawyering over definitions only distracts from the bigger picture. I trusted Facebook with my mobile number. They permitted bad actors to mis-use their service, and now bad actors have that number. Facebook should be held accountable. Whether it was through SQL injection or a poorly-thought-out API is academic.

[_carbyau_]

SQL injection = Bug-in-computer-code poor API = Bug-in-thought-process

Bug owned by FB either way.

[atleta]

It's almost what they intended. It was an internal API that they never thought would be exploited. (I.e. used by third parties.) Calling it scraping is a pretty fat lie.

I've just checked. My phone number is in the data set. I've never set my phone number public so no one should have been able to 'scrape' it.

On a side note, I remember learning about this feature, or maybe an earlier incarnation, a few years ago when a friend showed the the profile of a girl he just met at a bar. The girl had a pretty common name so I asked my friend how he looked her up, did they have friends in common. I was really just curious how FB would now which person to show. He said "no, she gave me her number and you can look them up like so and so". (I can't remember whether you could search for the number or had to create a contact, but it's besides the point.)

I was pretty baffled because it was obvious that you could just create a very powerful white pages type of db pretty easily. Which someone apparently did for half a billion people.

This also explains how someone managed to call me from a UK number a few weeks ago trying to sell me some news paper subscription. They said they were from the "Herald digest". And they did know my name (so it wasn't just dialling random numbers.)

[bostonsre]

> In that sense, it did exactly what the developer intended.

Not sure they envisioned someone enumerating phone numbers and pulling all data. But that would be hilarious if they claim that's what they intended and that was a feature.

[quantumsequoia]

There's a difference between an unintended use case and unintended behavior