Anyone with an email address can log in to the law enforcement portals on Facebook and WhatsApp and submit a request to receive user data. Law enforcement portals are designed to allow, for example, police or government officials to submit a request for specific data to be sent to them.
Access to both portals does not provide users with access to user information, nor is it sensitive information σχετικά με την company. However, portals are not designed to filter email addresses in any way, leaving the door open to spammers for free. access on portals, as well as sending fakes requests.
Last week, security researcher Jacob Riggs discovered that he could access the two portals by any email. All he had to do was enter his email, submit it to the portals and then click on a link confirmation received at inbox his email.
Once the process was complete, he could request the files he wanted using the following forms.
Riggs reported the issue on Facebook, believing it was due to a design flaw that needed to be fixed. Facebook, however, told Riggs it was a feature, not a mistake.
"Dedicated teams of both Facebook and WhatsApp carefully consider every request from the police or the government to ensure that we only comply with valid legal procedures required by applicable law. While maintaining policies to prevent spam on the online request system, we have chosen a different approach to these requests because we manually check each request coming to our company ", said a representative of Facebook. "In many cases, the requests include emergency situations need in real time and we'd rather check access requests manually rather than automatically reject an unknown "email domain" like the one used by the security researcher. "
The spokesman added that the system rejects some "email domains" and has other rules to prevent spam. In other words, Facebook prefers to allow anyone to submit a request and then check that it is real and legal, rather than blocking it with an automated system.
In any case, both Facebook and WhatsApp portals include a warning to discourage potential Spammers, warning them that only “government entities authorized to receive evidence data in relation to formal legal proceedings ”may submit such requests.
"Unauthorized requests will be prosecuted," the notice said. "By requesting access, you accept that you are a government or police officer making a request in your official capacity."
Technology companies regularly receive and process legitimate data requests through these portals. In the latest transparency report, which includes requests data for Facebook, Facebook Messenger, Instagram, WhatsApp and Oculus, and covering the last six months of 2019, the company revealed that it had received 140.875 data requests users.