So here’s today’s lesson: every so often, the press can get a little carried away and then it’s on you to set the story straight. Here are the facts:
Last Tuesday, we started testing the new version of the MyPermissions Online Privacy Shield for Android. On Wednesday afternoon we discovered what appeared to be an anomaly with the Facebook app permissions pages — some of them weren’t registering as accessible through mobile. We took note of it and talked about it amongst ourselves, spoke to a couple of people, and decided to verify our whatever it was that we seemed to have found the next day.
On Thursday, after more testing, we realized that somehow, something in the way we were testing was causing app permission pages to become unavailable from any mobile platform. We checked and double-checked the theory, and we waited until we had confirmation from 3 different continents and replicated the same bug repeatedly in our offices to confirm that we were in fact doing something to Facebook to render certain settings pages unavailable.
Basically, we waiting until we knew for sure that some of our behavior was affecting the way Facebook was operating. Once we confirmed that, we immediately reached out to Facebook, and — just to be clear — we didn’t ask for (and still haven’t) any money or “bounty” from Facebook for this.
Facebook’s security team responded to us with incredible speed. Within 30 minutes of us reaching out to a personal contact there, they started working at an amazing pace to sort out what it was that we discovered. For the next 7 hours thereafter, Facebook was in direct contact with us via multiple emails (20 to date), through which we provided them with very specific details about how we were able to cause these pages to not be accessible.
So what’s the issue? Why is there some dissonance here?
Facebook requested that we send them part of our actual code that makes our product ours so that they could test out the bug with the original resources used to reveal it. The problem for us is that what they want is part of our core product and our intellectual property (IP); while we totally want to help them get this fixed, we can’t give them the inner contents of our service. So, we told them, they could have everything else from us except our coding.
To back up our words with real cooperation, we’ve given them complete access to our Facebook testing account originally used to “create” the bug, and offered to replicate the scenario for them on any account they wanted to help them create and unravel the problem.
In respect, therefore, to the sensational title in which MyPermissions is supposedly telling Facebook to “come to Tel Aviv to get it,” the actual quote is slightly misrepresented. What actually was said during the interview went more along the lines of “Facebook has offices seven minutes away from ours, so they’re welcome to come to our office in Tel-Aviv and we’ll be happy to sit with them and continue to work on this with them.”
In sum, we are continuing to work with Facebook on this issue. MyPermissions has now invested a total of over 60 hours in and around this vulnerability, and we’ll dedicated to continuing to try and help Facebook given the reasonable limitations we have. It’s in all our interests that matters like this be handled with every possible cooperation so that we can continue to offer not only the best service we can to millions of people, but also the basic ability to control who has access to their personal information online.